Full Report
Ivanti has released security updates to address multiple critical flaws in its Cloud Services Application (CSA) and Connect Secure products that could lead to privilege escalation and code execution. The list of vulnerabilities is as follows - CVE-2024-11639 (CVSS score: 10.0) - An authentication bypass vulnerability in the admin web console of Ivanti CSA before 5.0.3 that allows a remote
Analysis Summary
# Vulnerability: Critical Flaws in Ivanti CSA, Connect Secure, and Sentry
## CVE Details
- CVE ID: CVE-2024-11639, CVE-2024-11772, CVE-2024-11773, CVE-2024-11633, CVE-2024-11634, CVE-2024-8540
- CVSS Score: 10.0 (for CVE-2024-11639), 9.1 (for three others), 8.8 (for CVE-2024-8540)
- CWE: Not explicitly listed, but includes Authentication Bypass, Command Injection, SQL Injection, Argument Injection, and Insecure Permissions.
## Affected Systems
- **Products:** Ivanti Cloud Services Application (CSA), Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), Ivanti Sentry.
- **Versions:**
- **CSA (CVE-2024-11639, 11772, 11773):** Before version 5.0.3.
- **Connect Secure (CVE-2024-11633):** Before version 22.7R2.4.
- **Connect Secure & Policy Secure (CVE-2024-11634):** ICS before version 22.7R2.3 and IPS before version 22.7R1.2.
- **Sentry (CVE-2024-8540):** Before versions 9.20.2, 10.0.2, or 10.1.0.
- **Configurations:** Vulnerabilities primarily target the admin web console or require admin privileges post-authentication (except CVE-2024-11639, which is unauthenticated).
## Vulnerability Description
Ivanti released updates addressing multiple critical vulnerabilities across its security products:
1. **CVE-2024-11639 (CVSS 10.0):** An **Authentication Bypass** flaw in the Ivanti CSA admin web console allows a remote, unauthenticated attacker to gain administrative access.
2. **CVE-2024-11772 (CVSS 9.1):** A **Command Injection** vulnerability in the Ivanti CSA admin web console, requiring admin privileges, leading to Remote Code Execution (RCE).
3. **CVE-2024-11773 (CVSS 9.1):** An **SQL Injection** flaw in the Ivanti CSA admin web console, requiring admin privileges, allowing arbitrary SQL execution.
4. **CVE-2024-11633 (CVSS 9.1):** An **Argument Injection** vulnerability in Ivanti Connect Secure, requiring admin privileges, leading to RCE.
5. **CVE-2024-11634 (CVSS 9.1):** A **Command Injection** vulnerability in Ivanti Connect Secure and Policy Secure, requiring admin privileges, leading to RCE.
6. **CVE-2024-8540 (CVSS 8.8):** An **Insecure Permissions** flaw in Ivanti Sentry, allowing a local, authenticated attacker to modify sensitive application data.
## Exploitation
- **Status:** The article describes critical vulnerabilities recently patched by Ivanti, suggesting a high likelihood of active exploitation attempts or the imminent release of Proof-of-Concept (PoC) code, especially for the CVSS 10.0 flaw.
- **Complexity:** Severity ranges from Medium to Low complexity, given that the most critical flaw (10.0) is unauthenticated.
- **Attack Vector:** Primarily **Network** (for remote unauthenticated/authenticated access) and **Local** (for CVE-2024-8540).
## Impact
- **Confidentiality:** High (due to RCE and SQL Injection allowing data exfiltration).
- **Integrity:** High (due to ability to execute arbitrary code/SQL commands).
- **Availability:** High (due to potential for system compromise and disruption via RCE).
## Remediation
### Patches
Ivanti has issued security updates. Specific patched versions are:
- **CSA:** Updated to version **5.0.3** or later (fixes CVE-2024-11639, 11772, 11773).
- **Connect Secure (ICS):** Updated to version **22.7R2.4** or later (fixes CVE-2024-11633).
- **Connect Secure (ICS) & Policy Secure (IPS):** Updated to ICS **22.7R2.3** or later and IPS **22.7R1.2** or later (fixes CVE-2024-11634).
- **Sentry:** Updated to versions **9.20.2**, **10.0.2**, or **10.1.0** or later (fixes CVE-2024-8540).
### Workarounds
No specific manual workarounds were detailed in the provided text snippets, emphasizing the need to apply vendor patches immediately.
## Detection
- **Indicators of Compromise:** Look for unauthorized administrative login attempts (related to CVE-2024-11639) or evidence of command/SQL execution attempts within application logs associated with the admin interface of the affected products.
- **Detection Methods and Tools:** Standard endpoint detection and response (EDR) or network monitoring tools should be configured to detect unusual process execution or unexpected network connections originating from the Ivanti appliance processes post-authentication.
## References
- [Vendor advisory for CSA (CVE-2024-11639, 11772, 11773)](hxxps://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-Services-Application-CSA-CVE-2024-11639-CVE-2024-11772-CVE-2024-11773?language=en_US)
- [Vendor advisory for ICS/IPS (CVE-2024-11633, 11634)](hxxps://forums.ivanti.com/s/article/December-2024-Security-Advisory-Ivanti-Connect-Secure-ICS-and-Ivanti-Policy-Secure-IPS-Multiple-CVEs?language=en_US)
- [Vendor advisory for Sentry (CVE-2024-8540)](hxxps://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2024-8540?language=en_US)