Full Report
Defenders shed light on a set of vulnerabilities in Ivanti Cloud Service Appliances (CSA) that can be chained for further exploitation. The latest joint alert by CISA and FBI notifies the global defender community of at least two exploit chains using Invanti vulnerabilities tracked as CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, and CVE-2024-9380. Adversaries can take advantage of exploit […] The post CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, and CVE-2024-9380 Detection: CISA and FBI Warn Defenders of Two Exploit Chains Using Critical Ivanti CSA Vulnerabilities appeared first on SOC Prime.
Analysis Summary
# Vulnerability: Chained Exploitation of Critical Ivanti CSA Vulnerabilities (CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, CVE-2024-9380)
## CVE Details
- CVE ID: CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, CVE-2024-9380
- CVSS Score: Not explicitly provided in the text (Severity implies Critical due to exploitation)
- CWE: Not explicitly provided in the text
## Affected Systems
- Products: Ivanti Cloud Service Appliances (CSA)
- Versions: Not specified, but implied to be vulnerable versions prior to patching.
- Configurations: Unknown, but focused on CSA devices.
## Vulnerability Description
This notice concerns four vulnerabilities (CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, and CVE-2024-9380) in Ivanti CSAs that are being actively chained by adversaries to achieve critical compromises. Two primary exploit chains have been identified:
1. **Chain 1 (CVE-2024-8963 + CVE-2024-8190 + CVE-2024-9380):** Adversaries send a GET request to acquire session and CSRF tokens, followed by a POST request manipulating the `setSystemTimeZone` function to achieve code execution.
2. **Chain 2 (CVE-2024-8963 + CVE-2024-9379):** Adversaries attempt to exploit CVE-2024-9379 via requests containing an SQL injection payload in the lockout attempts input to create a web shell.
The ultimate goal of these chains is to gain initial access, execute Remote Code Execution (RCE), steal credentials, and deploy malware.
## Exploitation
- Status: Exploited in the wild (Adversaries are using these chains)
- Complexity: Implied Medium/High due to the necessity of chaining multiple vulnerabilities.
- Attack Vector: Network (Involves sending crafted requests over the network).
## Impact
- Confidentiality: High (Credential theft, malware deployment)
- Integrity: High (Code execution allows system modification)
- Availability: High (Malware deployment can impact service availability)
## Remediation
### Patches
- Specific patch versions are not listed in the summary, but defenders should apply all relevant security updates released by Ivanti following their advisory from January 1st, 2025.
### Workarounds
- No explicit workarounds were provided in this summary. Operators should consult the official Ivanti advisory for immediate mitigating steps if patching is not possible.
## Detection
- Detection efforts are focused on identifying the specific request patterns used in the exploit chains:
- Look for network traffic involving crafted GET requests for tokens followed by targeted POST requests against functions like `setSystemTimeZone`.
- Monitor for SQL injection attempts within inputs related to lockout mechanisms.
- Indicators of Compromise (IOCs) include the subsequent steps of RCE, credential theft, and malware deployment associated with Ivanti CSA compromises.
## References
- Vendor Advisories: Ivanti (Advisory issued around January 1st, 2025)
- Relevant links: CISA and FBI Joint Alert notification.