Days after Ivanti introduced patches for a brand new vulnerability in its Join Safe and Coverage Safe merchandise, proof-of-concept exploit code has already been revealed for the flaw and security firms are reporting exploitation makes an attempt within the wild. This follows a troublesome month for Ivanti clients who needed to deploy emergency mitigations and patches for 3 completely different zero-day vulnerabilities that have been being exploited within the wild.
The brand new vulnerability, tracked as CVE-2024-22024, is an XML exterior entity injection (XXE) within the SAML element of particular variations of Ivanti Join Safe, Ivanti Coverage Safe, and ZTA gateways. It permits an attacker to entry sure restricted sources with out authentication and is rated with a severity rating of 8.3 out of 10 (excessive) on the CVSS scale.
Ivanti credit researchers from security agency watchTowr for locating and reporting the flaw, but additionally notes that it had already flagged that code as doubtlessly insecure internally. The watchTowr researchers stated in a report that they discovered the flaw whereas analyzing the patch for CVE-2024-21893, a server-side request forgery (SSRF) vulnerability within the SAML element that Ivanti disclosed on January 31 as a zero-day flaw that was being exploited in focused assaults.
The CVE-2024-21893 SSRF flaw itself was found by Ivanti whereas investigating two different zero-day vulnerabilities that have been introduced on January 10 and have been being exploited by a Chinese language superior persistent risk (APT) group. In response to those assaults, Ivanti first launched an XML-based mitigation that may very well be utilized to affected gadgets whereas the corporate labored on up to date variations for all affected software program releases.
Updates accessible for the brand new Ivanti vulnerabilities
The updates for the 4 identified vulnerabilities — CVE-2023-46805 (authentication bypass), CVE-2024-21887 (command injection), CVE-2024-21888 (privilege escalation), and CVE-2024-21893 (SSRF within the SAML element) — have been lastly launched on January 31 and February 1.
Updates for the brand new CVE-2024-22024 (XXE injection) flaw have been launched on February 8. Ivanti stated these updates supersede the beforehand launched ones and famous that clients who reset their gadgets to manufacturing unit reset when making use of the January 31 and February 1 patches don’t need to do it once more now after making use of the February 8 updates. The manufacturing unit reset was required to filter any potential implants and modifications made by attackers utilizing the earlier exploits.
