Ivanti has recently released patches to address three significant security vulnerabilities in its Cloud Services Appliance (CSA), which were being actively exploited. The CSA is an internet-based appliance designed to provide secure communication and functionality.
The vulnerabilities, identified in versions earlier than 5.0.2, include an SQL injection (CVE-2024-9379), an OS command injection (CVE-2024-9381), and a path traversal issue (CVE-2024-9380).
These flaws, with CVSS scores ranging from 6.5 to 7.2, could allow attackers to escalate privileges, execute arbitrary commands, and bypass security controls. In some cases, these vulnerabilities were being exploited in combination with a previously identified flaw, CVE-2024-8963, which Ivanti had patched in September.
The SQL injection vulnerability (CVE-2024-9379) allows remote attackers to execute arbitrary SQL queries through the CSA admin console, potentially leading to elevated privileges. The OS command injection flaw (CVE-2024-9381) could enable remote code execution, while the path traversal issue (CVE-2024-9380) lets attackers bypass certain restrictions.
These vulnerabilities predominantly affect organizations running older versions of CSA, especially those on version 4.6 or earlier. While Ivanti has not reported active attacks in CSA 5.0, it strongly advises users to upgrade to version 5.0.2 to mitigate potential risks.
Ivanti’s advisory highlights that customers running the outdated CSA 4.6 patch 518 or earlier have already been exploited when combining these vulnerabilities with CVE-2024-8963. The company pointed out that CSA 4.6 is now end-of-life and will no longer receive security updates.
As a result, customers are urged to upgrade to the latest version, as using older versions increases the risk of exploitation. Even though there have been no confirmed active exploits in CSA 5.0, Ivanti recommends upgrading to 5.0.2 for enhanced security.
The rising number of breaches involving cloud-based systems is concerning. Currently, cloud breaches account for 45% of all data breaches, and nearly half of all businesses have reported experiencing some form of attack. This trend has prompted Ivanti to improve its internal testing and vulnerability scanning processes.
The company has also been working to streamline its vulnerability disclosure process to respond faster to emerging threats. As part of its commitment to security, Ivanti signed the CISA Secure by Design pledge in May, emphasizing its focus on building more secure products from the start.
Along with the vulnerabilities in CSA, Ivanti disclosed two additional flaws last month: CVE-2024-8963, an admin bypass vulnerability, and CVE-2024-8190, a command injection flaw. Both of these were added to the CISA’s Known Exploited Vulnerabilities catalog, requiring federal agencies to address them by October 10.
In response to the growing number of security threats, Ivanti has made significant investments in Secure by Design initiatives and is actively working to strengthen its security practices. These efforts reflect Ivanti’s commitment to protecting its cloud services against evolving risks and ensuring customers are better protected against cyberattacks.