Ivanti, whose products have been a big target for attackers recently, has disclosed two more critical vulnerabilities in its technologies, raising further questions about the security of its products in the process.
One of the flaws, traced as CVE-2023-41724 (CVSS Vulnerability Severity Score of 9.6 out of 10) is a remote code execution vulnerability in Ivanti Standalone Sentry that NATO Cyber Security Center researchers reported to the company.
The second flaw Ivanti revealed this week is CVE-2023-46808 (CVSS score of 9.9) in Ivanti Neurons for IT Service Management (ITSM).
Critical severity bug
The Standalone Sentry flaw, which affects all supported versions of the technology (9.17.0, 9.18.0, and 9.19.0), allows an unauthenticated attacker to execute arbitrary code on the underlying operating system. According to Ivanti, older versions of Standalone Sentry are also at risk.
So far, the vendor said it has seen no evidence that threat actors have exploited the flaw in the wild. “Threat actors without a valid TLS client certificate registered through EPMM cannot directly exploit this issue on the Internet,” Ivanti said.
Vulnerability in Neurons for ITSM gives an authenticated, remote attacker a way to write or upload files to the ITSM server and gain the ability to execute arbitrary code on it. As with the RCE flaw in Standalone Sentry, Ivanti said it has seen no signs of exploitative activity so far.
Ivanti has released updated versions of the affected products to address each vulnerability. The company said it became aware of both flaws – and reserved a CVE number for them – late last year, which is why the vulnerabilities have a 2023 CVE number. “Per Ivanti policy, when a CVE is not under active exploitation, we disclose the vulnerability as soon as a fix is available, so that customers have the tools they need to protect their environment,” the company noted.
Making a bad record even worse
Since January, the company has kept security administrators busy with a constant stream of flaws in its products, which in several cases threat actors have been quick to pounce on. A case in point is “Goblin Magnet” a financially motivated threat actor who was among the fastest to exploit CVE-2024-21887, a command injection vulnerability in Ivanti Connect Secure and Policy Secure gateways.
The flaw was one of two days zero which Ivanti disclosed in early January in secure remote access technology (the other was CVE-2023-46805) but for which the company only released a patch weeks later. During the period, numerous threat groups, including China-based advanced persistent threat actors such as UNC5221, aka UTA0178, actively exploited the bugs in mass attacks around the world.
Even as troubled administrators struggled to fix these two initial flaws, in late January Ivanti revealed two more bugs in its Connect Secure VPN technology, CVE-2024-21888 and CVE-2024-21893, the latter of which was a zero-day bug under active exploitation at the time of disclosure. Less than two weeks later, the company revealed another flaw: CVE-2024-22024 – in Ivanti Connect Secure and Ivanti Pulse Secure technologies, which attackers were once again quick to exploit.
The seemingly incessant bugs in Ivanti products – and the risk they pose to the vendor’s customers, some of which include very large companies – have predictably according to some researchers it has tarnished its reputation within the community. Some have even described the flaws – and the company’s relatively slow responses to them – as an existential threat to businesses.