Ivanti has released security updates to address four security flaws that impact Connect Secure and Policy Secure Gateways and could lead to code execution and denial of service (DoS).
The list of defects is as follows:
- CVE-2024-21894 (CVSS Score: 8.2) – A heap overflow vulnerability in the IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted requests to crash the service , thus causing a DoS attack. Under certain conditions, this may lead to arbitrary code execution.
- CVE-2024-22052 (CVSS Score: 7.5) – A null pointer dereference vulnerability in the IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted requests to block the service, thus causing a DoS attack.
- CVE-2024-22053 (CVSS Score: 8.2) – A heap overflow vulnerability in the IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted requests to crash the service , thus causing a DoS attack or under certain conditions reading contents from memory.
- CVE-2024-22023 (CVSS Score: 5.3) – An XML entity expansion or XEE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send XML requests specially crafted to temporarily cause loss of resource exhaustion resulting in time-limited DoS.
The company, which has been grappling with a steady stream of security flaws in its products since the beginning of the year, said it was not aware of “any customers exploited by these vulnerabilities at the time of disclosure.”
Late last month, Ivanti distributed patches for a critical flaw in its Standalone Sentry product (CVE-2023-41724, CVSS score: 9.6) that could allow an unauthenticated threat actor to execute arbitrary commands on the operating system below.
Also fixed another critical flaw impacting local versions of Neurons for ITSM (CVE-2023-46808, CVSS score: 9.9) that an authenticated remote attacker could abuse to perform arbitrary file writes and gain execution of code.
In an open letter published on April 3, 2023, Ivanti CEO Jeff Abbott said the company is “closely examining” its posture and processes to meet the requirements of the current threat landscape.
Abbott also said that “the events of the last few months have been humbling” and that it is executing a plan that fundamentally changes its security operating model by adopting secure-by-design principles, sharing information with customers with complete transparency and redesigning the its engineering, security and vulnerability management practices.
“We are ramping up our internal scanning, manual exploitation and testing capabilities, engaging trusted third parties to increase our internal research and facilitate responsible vulnerability disclosure with greater incentives around an enhanced bug bounty program,” Abbott said.