Ivanti has alerted customers to another high-severity security flaw in its Connect Secure, Policy Secure, and ZTA gateway devices that could allow attackers to bypass authentication.
The problem, traced as CVE-2024-22024it has a rating of 8.3 out of 10 in the CVSS scoring system.
“An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x), and ZTA Gateway that allows an attacker to gain access to certain limited resources without authentication,” the company said in an advisory.
The company said it discovered the flaw during an internal review as part of its ongoing investigation into multiple security weaknesses in products that have emerged since the beginning of the year, including CVE-2023-46805, CVE-2024-21887, CVE -2024-21888 and CVE-2024-21893.
CVE-2024-22024 affects the following product versions:
- Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, and 22.5R1.1)
- Ivanti Policy Secure (version 22.5R1.1)
- HAZ (version 22.6R1.3)
Patches for the bug are available in Connect Secure versions 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3, and 22.6R2.2; Policy Secure versions 9.1R17.3, 9.1R18.4 and 22.5R1.2; and ZTA versions 22.5R1.6, 22.6R1.5 and 22.6R1.7.
Ivanti said there is no evidence of active exploitation of the flaw, but with CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893 subject to widespread abuse, it is critical that users move quickly to apply fixes latest.
Update
Cybersecurity firm watchTowr, which said it disclosed CVE-2024-22024 to Ivanti in early February 2024, said the issue stems from an incorrect fix for CVE-2024-21893 introduced in the latest version of the software .
“XXE is an introduction to a variety of impacts: DOS, local file reading, and SSRF,” it reads. “The impact, clearly, of SSRF depends on which protocols are available for use.”