Why complex combinations of characters in a password are more important than ever.
On September 10, 2024, Ivanti issued a security notice regarding a zero-day vulnerability in its Cloud Service Appliance (CSA) product. The bug didn't seem to be of much interest at first glance because, according to Ivanti, it requires authentication to be exploited. However, on September 13, the vulnerability was added to the CISA KEV catalog, which caused increased attention of Horizon3 specialists.
The CVE-2024-8190 command injection vulnerability (CVSS score: 7.2) affects the Cloud Service Appliance operating system versions 4.6 Patch 518 and earlier. The error may result in unauthorized access to the device. In configurations where the device is connected to two networks, with an internal interface on ETH-0, the risk of exploitation is significantly reduced.
To exploit, an attacker needs administrator privileges on the device. Experts noted that the error could be accidentally exposed to external influences due to improper configuration of the device's network interfaces.
While investigating security updates, experts found that the Cloud Service Appliance uses a PHP interface, and the fix includes updating several PHP files. One of the key points was the discovery of the handleDateTimeSubmit function, which interacts with the vulnerable TIMEZONE parameter handling function. The original version lacked input validation, which allowed attackers to send arbitrary commands for execution.
Exploit development revealed that the vulnerable feature resides in the /datetime.php script, accessible through an authenticated "internal" interface. The vulnerability can be exploited by providing a username and password, which confirms the risk to users who do not follow the configuration recommendations.
Ivanti recommended that ETH-0 be configured as an internal interface, and tests confirmed that access through external interfaces (ETH-1) results in a 403 Forbidden error, which protects the device from external attacks. However, users who accidentally mess up the interfaces or don't set them up properly put the console at risk of being accessible over the internet.
In addition, when publicly accessible over the Internet, the device does not restrict attempts to enter username and password combinations, which increases the likelihood of a successful attack with a weak password. Although the device uses admin credentials by default, the system requires you to change them the first time you log in.
Experts suggest that the breached devices were likely either never properly configured or had weak passwords, which contributed to the successful exploitation of the vulnerability. As indicators of compromise, specific entries in the logs were noted, indicating unsuccessful login attempts and successful authentication. Users are advised to check logs for such records and update devices in a timely manner to eliminate the vulnerability.
Source
On September 10, 2024, Ivanti issued a security notice regarding a zero-day vulnerability in its Cloud Service Appliance (CSA) product. The bug didn't seem to be of much interest at first glance because, according to Ivanti, it requires authentication to be exploited. However, on September 13, the vulnerability was added to the CISA KEV catalog, which caused increased attention of Horizon3 specialists.
The CVE-2024-8190 command injection vulnerability (CVSS score: 7.2) affects the Cloud Service Appliance operating system versions 4.6 Patch 518 and earlier. The error may result in unauthorized access to the device. In configurations where the device is connected to two networks, with an internal interface on ETH-0, the risk of exploitation is significantly reduced.
To exploit, an attacker needs administrator privileges on the device. Experts noted that the error could be accidentally exposed to external influences due to improper configuration of the device's network interfaces.
While investigating security updates, experts found that the Cloud Service Appliance uses a PHP interface, and the fix includes updating several PHP files. One of the key points was the discovery of the handleDateTimeSubmit function, which interacts with the vulnerable TIMEZONE parameter handling function. The original version lacked input validation, which allowed attackers to send arbitrary commands for execution.
Exploit development revealed that the vulnerable feature resides in the /datetime.php script, accessible through an authenticated "internal" interface. The vulnerability can be exploited by providing a username and password, which confirms the risk to users who do not follow the configuration recommendations.
Ivanti recommended that ETH-0 be configured as an internal interface, and tests confirmed that access through external interfaces (ETH-1) results in a 403 Forbidden error, which protects the device from external attacks. However, users who accidentally mess up the interfaces or don't set them up properly put the console at risk of being accessible over the internet.
In addition, when publicly accessible over the Internet, the device does not restrict attempts to enter username and password combinations, which increases the likelihood of a successful attack with a weak password. Although the device uses admin credentials by default, the system requires you to change them the first time you log in.
Experts suggest that the breached devices were likely either never properly configured or had weak passwords, which contributed to the successful exploitation of the vulnerability. As indicators of compromise, specific entries in the logs were noted, indicating unsuccessful login attempts and successful authentication. Users are advised to check logs for such records and update devices in a timely manner to eliminate the vulnerability.
Source
