Ivanti has rolled out security updates for a vital flaw in Digital Site visitors Supervisor (vTM) that may very well be exploited to realize an authentication bypass and create rogue administrative customers.
The vulnerability, tracked as CVE-2024-7593, has a CVSS rating of 9.8 out of a most of 10.0.
“Incorrect implementation of an authentication algorithm in Ivanti vTM apart from variations 22.2R1 or 22.7R2 permits a distant unauthenticated attacker to bypass authentication of the admin panel,” the corporate mentioned in an advisory.
It impacts the next variations of vTM –
- 22.2 (mounted in model 22.2R1)
- 22.3 (mounted in model 22.3R3, obtainable week of August 19, 2024)
- 22.3R2 (mounted in model 22.3R3, obtainable week of August 19, 2024)
- 22.5R1 (mounted in model 22.5R2, obtainable week of August 19, 2024)
- 22.6R1 (mounted in model 22.6R2, obtainable week of August 19, 2024)
- 22.7R1 (mounted in model 22.7R2)
As short-term mitigation, Ivanti is recommending prospects to restrict admin entry to the administration interface or limit entry to trusted IP addresses.
Whereas there isn’t any proof that the flaw has been exploited within the wild, it acknowledged the general public availability of a proof-of-concept (PoC), making it important that customers apply the newest fixes as quickly as doable.
Individually, Ivanti has additionally addressed two shortcomings in Neurons for ITSM that would end in info disclosure and achieve unauthorized entry to the units as any person –
- CVE-2024-7569 (CVSS rating: 9.6) – An info disclosure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM variations 2023.4 and earlier permits an unauthenticated attacker to acquire the OIDC shopper secret through debug info
- CVE-2024-7570 (CVSS rating: 8.3) – Improper certificates validation in Ivanti ITSM on-prem and Neurons for ITSM Variations 2023.4 and earlier permits a distant attacker in a MITM place to craft a token that may permit entry to ITSM as any person
The problems, which have an effect on variations 2023.4, 2023.3, and 2023.2, have been resolved in variations 2023.4 w/ patch, 2023.3 w/ patch, and 2023.2 w/ patch, respectively.
Additionally patched by the corporate are 5 high-severity flaws (CVE-2024-38652, CVE-2024-38653, CVE-2024-36136, CVE-2024-37399, and CVE-2024-37373) in Ivanti Avalanche that may very well be exploited to realize a denial-of-service (DoS) situation or distant code execution. They’ve been mounted in model 6.4.4.