Alert: Ivanti Discloses 2 New Zero-Day Flaws, One Under Active Exploitation

Avatar
Ivanti is alerting of two new high-severity flaws in its Connect Secure and Policy Secure products, one of which is said to have come under targeted exploitation in the wild. The list of vulnerabilities is as follows – CVE-2024-21888 (CVSS score: 8.8) – A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows
[[{“value”:”

Ivanti is alerting of two new high-severity flaws in its Connect Secure and Policy Secure products, one of which is said to have come under targeted exploitation in the wild.

The list of vulnerabilities is as follows –

CVE-2024-21888 (CVSS score: 8.8) – A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator
CVE-2024-21893 (CVSS score: 8.2) – A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication

The Utah-based software company said it found no evidence of customers being impacted by CVE-2024-21888 so far, but acknowledged “the exploitation of CVE-2024-21893 appears to be targeted.”

It further noted that it “expects the threat actor to change their behavior and we expect a sharp increase in exploitation once this information is public.”

In tandem to the public disclosure of the two new vulnerabilities, Ivanti has released fixes for Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1, and ZTA version 22.6R1.3.

“Out of an abundance of caution, we are recommending as a best practice that customers factory reset their appliance before applying the patch to prevent the threat actor from gaining upgrade persistence in your environment,” it said. “Customers should expect this process to take 3-4 hours.”

As temporary workarounds to address CVE-2024-21888 and CVE-2024-21893, users are recommended to import the “mitigation.release.20240126.5.xml” file.

The latest development comes as two other flaws in the same product – CVE-2023-46805 and CVE-2024-21887 – have come under broad exploitation by multiple threat actors to deploy backdoors, cryptocurrency miners, and a Rust-based loader called KrustyLoader.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in a fresh advisory published today, said adversaries are leveraging the two shortcomings to capture credentials and drop web shells that enable further compromise of enterprise networks.

“Some threat actors have recently developed workarounds to current mitigations and detection methods and have been able to exploit weaknesses, move laterally, and escalate privileges without detection,” the agency said.

“Sophisticated threat actors have subverted the external integrity checker tool (ICT), further minimizing traces of their intrusion.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Hackers Exploiting Ivanti VPN Flaws to Deploy KrustyLoader Malware

Next Post

RunC Flaws Enable Container Escapes, Granting Attackers Host Access

Related Posts

New Phishing Campaign Targets Oil & Gas with Evolved Data-Stealing Malware

An updated version of an information-stealing malware called Rhadamanthys is being used in phishing campaigns targeting the oil and gas sector. "The phishing emails use a unique vehicle incident lure and, in later stages of the infection chain, spoof the Federal Bureau of Transportation in a PDF that mentions a significant fine for the incident," Cofense researcher Dylan Duncan said. The
Avatar
Read More