Ivanti Keeps Security Teams Scrambling With 2 More Vulns

Ivanti, whose products have been a big target for attackers recently, has disclosed two more critical vulnerabilities in its technologies — raising more questions about the security of its products in the process.

One of the flaws, tracked as CVE-2023-41724 (CVSS vulnerability-severity score of 9.6 out of 10) is a remote code execution vulnerability in Ivanti Standalone Sentry that researchers from NATO Cyber Security Center reported to the company.

The second flaw that Ivanti disclosed this week is CVE-2023-46808 (CVSS score of 9.9) in Ivanti Neurons for IT Service Management (ITSM).

Critical Severity Bugs

The Standalone Sentry flaw, which impacts all supported versions of the technology (9.17.0, 9.18.0, and 9.19.0), allows an unauthenticated attacker to execute arbitrary code on the underlying operating system. Older versions of Standalone Sentry are also at risk according to Ivanti.

So far, the vendor said it has not seen any evidence of threat actors exploiting the flaw in the wild. "Threat actors without a valid TLS client certificate enrolled through EPMM cannot directly exploit this issue on the Internet," Ivanti said.

The vulnerability in Neurons for ITSM gives an authenticated remote attacker a way to write or upload files to the ITSM server and gain the ability to execute arbitrary code on it. As with the RCE flaw in Standalone Sentry, Ivanti said it has seen no signs of exploitation activity so far.

Ivanti has issued updated versions of the affected products to address each vulnerability. The company said it learned of both flaws — and reserved a CVE number for them — late last year, which is why the vulnerabilities have a 2023 CVE number. "It is Ivanti's policy that when a CVE is not under active exploitation that we disclose the vulnerability when a fix is available, so that customers have the tools they need to protect their environment," the company noted.

Making a Bad Track Record Even Worse

Since January the company has kept security administrators busy with a steady stream of flaws in its products, which in several instances threat actors were quick to pounce upon. One case in point is "Magnet Goblin" a financially motivated threat actor that was among the fastest to exploit CVE-2024-21887, a command injection vulnerability in Ivanti Connect Secure and Policy Secure gateways.

The flaw was one of two zero-days that Ivanti disclosed in early January in the secure remote access technology — the other was CVE-2023-46805 — but for which the company did not issue a patch until weeks later. During the period, numerous threat groups including China-based advanced persistent threat actors such as UNC5221, aka UTA0178, actively exploited the bugs in mass attacks worldwide.

Even as beleaguered admins struggled to address those two initial flaws, Ivanti in late January disclosed two more bugs in its Connect Secure VPN technology, CVE-2024-21888 and CVE-2024-21893, the latter of which was a zero-day bug under active exploitation at time of disclosure. Less than two weeks later, the company disclosed yet another flaw — CVE-2024-22024 — in its Ivanti Connect Secure and Ivanti Pulse Secure technologies, which attackers once again were quick to exploit.

The seemingly incessant bugs in Ivanti's products — and the risk they pose to the vendor's customers, some of whom include very large businesses — predictably have dinged its reputation according to some researchers within the community. Some have even described the flaws — and the company's relatively slow responses to them — as posing an existential threat to businesses.