Ivanti on Tuesday rolled out fixes to handle a number of vital security flaws in Endpoint Supervisor (EPM) that could possibly be exploited to realize distant code execution underneath sure circumstances.
Six of the ten vulnerabilities – from CVE-2024-29822 by way of CVE-2024-29827 (CVSS scores: 9.6) – relate to SQL injection flaws that permit an unauthenticated attacker throughout the identical community to execute arbitrary code.
The remaining 4 bugs — CVE-2024-29828, CVE-2024-29829, CVE-2024-29830, and CVE-2024-29846 (CVSS scores: 8.4) — additionally fall underneath the identical class with the one change being that they require the attacker to be authenticated.
The shortcomings impression the Core server of Ivanti EPM variations 2022 SU5 and prior.
The corporate has additionally addressed a high-severity security flaw in Avalanche model 6.4.3.602 (CVE-2024-29848, CVSS rating: 7.2) that would allow an attacker to realize distant code execution by importing a specifically crafted file.
As well as, patches have been shipped for 5 different high-severity vulnerabilities: an SQL injection (CVE-2024-22059) and an unrestricted file add bug (CVE-2024-22060) in Neurons for ITSM, a CRLF injection flaw in Join Safe (CVE-2023-38551), and two native privilege escalation points within the Safe Entry consumer for Home windows (CVE-2023-38042) and Linux (CVE-2023-46810).
Ivanti confused that there is no such thing as a proof of the failings being exploited within the wild or that they have been “launched into our code growth course of maliciously” through a provide chain assault.
The event comes as particulars emerged a few vital flaw within the open-source model of the Genie federated Massive Data orchestration and execution engine developed by Netflix (CVE-2024-4701, CVSS rating: 9.9) that would result in distant code execution.
Described as a path traversal vulnerability, the shortcoming could possibly be exploited to write down an arbitrary file on the file system and execute arbitrary code. It impacts all variations of the software program previous to 4.3.18.
The difficulty stems from the truth that Genie’s REST API is designed to just accept a user-supplied filename as a part of the request, thus permitting a malicious actor to craft a filename such that it might probably escape of the default attachment storage path and write a file with any user-specified title to a path specified by the actor.
“Any Genie OSS customers working their very own occasion and counting on the filesystem to retailer file attachments submitted to the Genie software could also be impacted,” the maintainers stated in an advisory.
“Utilizing this system, it’s doable to write down a file with any user-specified filename and file contents to any location on the file system that the Java course of has write entry to – probably resulting in distant code execution (RCE).”
That stated, customers who don’t retailer the attachments domestically on the underlying file system are usually not prone to this subject.
“If profitable, such an assault might idiot an internet software into studying and consequently exposing the contents of information outdoors of the doc root listing of the appliance or the online server, together with credentials for back-end techniques, software code and information, and delicate working system information,” Distinction Safety researcher Joseph Beeton stated.
Earlier this month, the U.S. authorities warned of continued makes an attempt by risk actors to take advantage of listing traversal defects in software program to breach targets, calling on builders to undertake a safe by design method for eliminating such security holes.
“Incorporating this danger mitigation on the outset – starting within the design part and persevering with by way of product launch and updates – reduces each the burden of cybersecurity on prospects and danger to the general public,” the federal government stated.
The disclosure additionally comes within the wake of assorted vulnerabilities (CVE-2023-5389 and CVE-2023-5390) in Honeywell’s Management Edge Unit Operations Controller (UOC) that can lead to unauthenticated distant code execution.
“An attacker already on an OT community would use a malicious community packet to take advantage of this vulnerability and compromise the digital controller,” Claroty stated. “This assault could possibly be carried out remotely as a way to modify information, leading to full management of the controller and the execution of malicious code.”
