Hundreds of Ivanti Join Safe and Coverage Safe endpoints stay weak to a number of security points first disclosed greater than a month in the past and which the seller progressively patched.
The issues are CVE-2024-22024, CVE-2023-46805, CVE-2024-21887, CVE-2024-21893, and CVE-2024-21888. Their severity ranges from excessive to essential and so they concern authentication bypass, server-side-request forgery, arbitrary command execution, and command injection issues.
A few of these vulnerabilities have been reported as exploited by nation-state actors earlier than they have been being leveraged at a bigger scale by a broad vary of menace actors.
Beginning with CVE-2024-22024, the problem is an XXE vulnerability within the SAML element of Ivanti Join Safe, Coverage Safe, and ZTA gateways that allowsunauthorized entry to restricted assets.
First disclosed final week and with no lively exploitation confirmed but, the seller suggested that it’s essential to right away apply out there security updates or mitigations, if there is no such thing as a patch out there.
Risk monitoring service Shadowserver studies that its web scans present greater than 3,900 Ivanti endpoints weak to CVE-2024-22024. Most of them are in america (1,262).
The group noticed roughly 1,000 Ivanti endpoints which might be nonetheless weak to CVE-2024-21887, a flaw that lets authenticated admins execute arbitrary instructions on weak home equipment by sending specifically crafted requests.
The vulnerability was first disclosed as a zero-day on January 10, 2024, and was reportedly exploited by Chinese language hackers, together with CVE-2023-46805, an authentication bypass difficulty.
Yutaka Sejiyama, a security researcher at Macnica, shared his Shodan scan outcomes with BleepingComputer earlier right now, reporting that as of February 15, 2024, 00:15 UTC, there have been 13,636 Ivanti servers that had but to use patches for CVE-2024-21893, CVE-2024-21888, CVE-2023-46805, and CVE-2024-21887.
Safety updates for these 4 vulnerabilities have been made out there by Ivanti properly over a month in the past on January 31, 2024.
In line with the researcher, the overall variety of internet-exposed Ivanti servers is 24,239, that means that greater than half of them stay unpatched.
Relating to CVE-2024-22024, which was disclosed and glued on February 8, 2024, Sejiyama’s analysis reveals a world patching proportion of solely 21.1% as of right now, leaving 19,132 servers uncovered to the damaging unauthorized entry flaw.
Sadly, the flaws affecting Ivanti merchandise have been disclosed over a brief interval, giving administrator little time to organize for making use of the patches.
This complicates remediation efforts and heightens the danger of Ivanti techniques being left weak for extended durations, offering menace actors with a big record of potential victims.
