Published: 24 September 2024
Prepared by: Adam Skupien, Vulnerability Security Analyst
PURPOSE
The purpose of this alert is to bring attention to a critical-risk publicly released vulnerability identified as CVE-2024-8963 Path Traversal in the Ivanti Cloud Service Appliance (CSA) which affects versions of the appliance before 4.6 Patch 519. The exploitation of this vulnerability allows a remote unauthenticated attacker to access restricted functionality within the appliance.
On 20 September 2024, the Australian Cyber Security Centre (ACSC) released an advisory addressing this vulnerability and urging organisations to follow the mitigations advice provided in the Ivanti Security Advisory.
Ivanti has also advised they are aware of customers who have been impacted by exploitation of this vulnerability.
DETAILS
On 19 September 2024, Ivanti issued a security advisory for a CRITICAL severity vulnerability identified as CVE-2024- Path Traversal in the Ivanti CSA before 4.6 Patch 519 vulnerability. Ivanti have advised that they have observed limited exploitation of this vulnerability.
The vulnerability is affects Ivanti CSA version 4.6 where patch 519 has not been applied. Successful exploitation could allow a remote unauthenticated attacker to access restricted functionality, however, iIf CVE-2024-8963 is used in conjunction with CVE-2024-8190 an attacker can bypass admin authentication and execute arbitrary commands on the appliance.
Ivanti have also noted that Ivanti CSA 4.6 is End-of-Life and patches will no longer be provided for the OS or third-party libraries. Customers must upgrade to Ivanti CSA 5.0 for continued support.
CISA have also added CVE-2024-8963 to its catalogue of known exploitable vulnerabilities on 19 September 2024.
MITIGATION ACTIONS
The recommended solution is to upgrade Ivanti CSA 4.6 to CSA 5.0.
CSA 4.6 patch 518 can be updated to Patch 519 to remediate this vulnerability, however, as CSA 4.6 has entered End-of-Life, the strongly recommended path is to upgrade to CSA 5.0 as this is the currently supported release.
DETECTION
Triskele Labs DefenceShield customers with Assess service (Vulnerability Scanning) are currently being scanned. All customers with our Monitor service (24x7x365 Managed Detection and Response) are - as always - being monitored closely for related Indicators of Compromise (IOCs) and Tactics, Techniques and Procedures (TTPs).
