According to CISA, the FBI, and trusted third-party incident response data, threat actors chained vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant webshells on victim networks.
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
VULNERABILITIES
The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory in response to exploitation in September 2024 of vulnerabilities in Ivanti Cloud Service Appliances (CSA): CVE-2024-8963, an administrative bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, remote code execution vulnerabilities.
Vendor/Product: Ivanti
Description: Ivanti Cloud Service Applications:
According to Ivanti’s advisories and industry reporting, these vulnerabilities were exploited as zero days. Based on evidence of active exploitation, CISA added CVE-2024-8963, CVE-2024-8190, CVE-2024-9379, and CVE-2024-9380 to its Known Exploited Vulnerabilities (KEV) Catalog.
Impact: According to CISA and trusted third-party incident response data, threat actors chained the above listed vulnerabilities to gain initial access, conduct RCE, obtain credentials, and implant webshells on victim networks. The primary exploit paths included two vulnerability chains. One exploit chain leveraged CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380. The other chain exploited CVE-2024-8963 and CVE-2024-9379. After exploitation, the actors moved laterally in one victim—other victims had no follow-on activity because they identified anomalous activity and implemented mitigation measures.
Source: CVE-2024-8963 [CWE-22: Path Traversal] Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability. This is an administrate bypass vulnerability that allows threat actors to remotely access restricted features within the appliance. When used in conjunction with CVE-2024-8190 [CWE-78: OS Command Injection], threat actors can remotely authenticate into a victims’ network and execute arbitrary commands on the appliance
Max Severity: Critical
CVSS Score: 9.1
Mitigation:
Ivanti CSA 4.6 is End-of-Life (EOL) and no longer receives patches or third-party libraries. CISA and FBI strongly encourage network administrators to upgrade to the latest supported version of Ivanti CSA. Network defenders are encouraged to hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory. Credentials and sensitive data stored within the affected Ivanti appliances should be considered compromised. Organizations should collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory.
Source: CVE-2024-8190 Ivanti Cloud Services Appliance OS Command Injection Vulnerability. An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. The attacker must have admin level privileges to exploit this vulnerability.
Max Severity: High
CVSS Score: 7.2
Mitigation:
Ivanti CSA 4.6 is End-of-Life (EOL) and no longer receives patches or third-party libraries. CISA and FBI strongly encourage network administrators to upgrade to the latest supported version of Ivanti CSA. Network defenders are encouraged to hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory. Credentials and sensitive data stored within the affected Ivanti appliances should be considered compromised. Organizations should collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory.
Source: CVE-2024-9379 [CWE-89: SQL Injection] Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability. This allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.[1]
Max Severity: High
CVSS Score: 7.2
Mitigation:
Ivanti CSA 4.6 is End-of-Life (EOL) and no longer receives patches or third-party libraries. CISA and FBI strongly encourage network administrators to upgrade to the latest supported version of Ivanti CSA. Network defenders are encouraged to hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory. Credentials and sensitive data stored within the affected Ivanti appliances should be considered compromised. Organizations should collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory.
Source: CVE-2024-9380 [CWE-77: Command Injection] Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability. This allows a remote authenticated attacker with admin privileges to obtain RCE.[1]
Max Severity: High
CVSS Score: 7.2
Mitigation:
Ivanti CSA 4.6 is End-of-Life (EOL) and no longer receives patches or third-party libraries. CISA and FBI strongly encourage network administrators to upgrade to the latest supported version of Ivanti CSA. Network defenders are encouraged to hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory. Credentials and sensitive data stored within the affected Ivanti appliances should be considered compromised. Organizations should collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory.
