The company hastily releases patches, fixing a total of 16 vulnerabilities.
On May 21, Ivanti released updates to address many critical vulnerabilities in products such as Endpoint Manager, Avalanche, Neurons for ITSM, Connect Secure, and Secure Access. A total of 16 vulnerabilities were fixed, which we will briefly discuss below.
Of the ten identified vulnerabilities in Endpoint Manager, six are related to SQL injection (CVE-2024-29822, CVE-2024-29823, CVE-2024-29824, CVE-2024-29825, CVE-2024-29826, CVE-2024-29827). They have a CVSS score of 9.6. These vulnerabilities allow an unauthenticated attacker located on the same network to execute arbitrary code.
The remaining four vulnerabilities in Endpoint Manager (CVE-2024-29828, CVE-2024-29829, CVE-2024-29830, CVE-2024-29846) already require authentication of the attacker, but also allow you to execute arbitrary code. These flaws are rated 8.4 on the CVSS scale, affecting the Core server Ivanti EPM 2022 SU5 and earlier versions.
In the Ivanti Avalanche client version 6.4.3.602, the company fixed the critical vulnerability CVE-2024-29848 (CVSS 7.2), which allows hackers to remotely execute code by downloading a specially created file.
The company also released patches for five other high-risk vulnerabilities: SQL injection (CVE-2024-22059, CVSS 8.8) and unlimited file upload error (CVE-2024-22060, CVSS 8.7) in Ivanti Neurons for ITSM, CRLF injection in Ivanti Connect Secure (CVE-2023-38551, CVSS 8.2) and two local privilege escalation vulnerabilities in Ivanti Secure Access: CVE-2023-38042, CVSS 7.8 (affects Windows) and CVE-2023-46810, CVSS 7.3 (affects Linux).
The company stressed that it has no evidence of exploiting all these vulnerabilities in real attacks or introducing them into the code development process through the supply chain.
Ivanti customers are advised to immediately install the latest security patches to address critical vulnerabilities. It is also essential to check for updates regularly, follow best cybersecurity practices, audit systems and processes, and have an incident response plan in place to respond quickly in the event of a real hack.
On May 21, Ivanti released updates to address many critical vulnerabilities in products such as Endpoint Manager, Avalanche, Neurons for ITSM, Connect Secure, and Secure Access. A total of 16 vulnerabilities were fixed, which we will briefly discuss below.
Of the ten identified vulnerabilities in Endpoint Manager, six are related to SQL injection (CVE-2024-29822, CVE-2024-29823, CVE-2024-29824, CVE-2024-29825, CVE-2024-29826, CVE-2024-29827). They have a CVSS score of 9.6. These vulnerabilities allow an unauthenticated attacker located on the same network to execute arbitrary code.
The remaining four vulnerabilities in Endpoint Manager (CVE-2024-29828, CVE-2024-29829, CVE-2024-29830, CVE-2024-29846) already require authentication of the attacker, but also allow you to execute arbitrary code. These flaws are rated 8.4 on the CVSS scale, affecting the Core server Ivanti EPM 2022 SU5 and earlier versions.
In the Ivanti Avalanche client version 6.4.3.602, the company fixed the critical vulnerability CVE-2024-29848 (CVSS 7.2), which allows hackers to remotely execute code by downloading a specially created file.
The company also released patches for five other high-risk vulnerabilities: SQL injection (CVE-2024-22059, CVSS 8.8) and unlimited file upload error (CVE-2024-22060, CVSS 8.7) in Ivanti Neurons for ITSM, CRLF injection in Ivanti Connect Secure (CVE-2023-38551, CVSS 8.2) and two local privilege escalation vulnerabilities in Ivanti Secure Access: CVE-2023-38042, CVSS 7.8 (affects Windows) and CVE-2023-46810, CVSS 7.3 (affects Linux).
The company stressed that it has no evidence of exploiting all these vulnerabilities in real attacks or introducing them into the code development process through the supply chain.
Ivanti customers are advised to immediately install the latest security patches to address critical vulnerabilities. It is also essential to check for updates regularly, follow best cybersecurity practices, audit systems and processes, and have an incident response plan in place to respond quickly in the event of a real hack.
