Ivanti released a patch to address three Cloud Services Appliance (CSA) zero-day vulnerabilities actively exploited in attacks. CVE-2024-9379, CVE-2024-9380, and CVE-2024-9381 are high and medium severity vulnerabilities that may allow an attacker with admin privileges to bypass restrictions, run arbitrary SQL statements, or obtain remote code execution.
Ivanti mentioned in the advisory, “We are aware of a limited number of customers who are running CSA 4.6 who have been exploited with these vulnerabilities when chained with CVE-2024-8963. We have not observed exploitation of customers running CSA 5.0.”
Ivanti Cloud Services Application (CSA) is a landing page for Ivanti Endpoint Manager and Endpoint Security for Endpoint Manager. It provides access to product downloads, documentation, configuration and troubleshooting guides, and a knowledge base. Users can also participate in forums and engage with support.
CISA added CVE-2024-9379 and CVE-2024-9380 to its Known Exploited Vulnerabilities Catalog, acknowledging the active exploitation. CISA requested users to patch the vulnerabilities before October 30, 2024.
CVE-2024-9379
The SQL injection vulnerability exists in the admin web console of Ivanti CSA. Successful exploitation of the vulnerability allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.
CVE-2024-9380
This OS command injection vulnerability exists in the admin web console of Ivanti CSA. Successful exploitation of the vulnerability allows a remote authenticated attacker with admin privileges to obtain remote code execution.
CVE-2024-9381
This path traversal vulnerability exists in Ivanti CSA. Successful exploitation of the vulnerability allows a remote authenticated attacker with admin privileges to bypass restrictions.
Affected versions
The vulnerabilities affect Ivanti Cloud Services Appliance versions 5.0.1 and older.
Mitigation
Customers must upgrade to Ivanti Cloud Services Appliance version 5.0.2 to patch the vulnerabilities.
Please refer to the Ivanti Security Advisory for more information.
Qualys Detection
Qualys customers can scan their devices with QID 380600 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.