Customer portal
Articles Tagged with

Ivanti ICS

"ivanti"/
Flash Alert

Flash Alert – Further vulnerabilities reported in Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA

Two new vulnerabilities have been disclosed by Ivanti, relating to their Connect Secure, Policy Secure and Neurons for ZTA products and services.

Ivanti Connect Secure & Ivanti Policy Secure

CVE-2024-21888

CVSS: 8.8 HIGH

Ivanti has disclosed a further vulnerability affecting their Connect Secure and Policy Secure solutions.  Impacting all currently supported versions (9.x and 22.x), the vulnerability allows a user (malicious or otherwise) to elevate their current privileges to that of an administrator.

Ivanti Connect Secure, Ivanti Policy Secure & Ivanti Neurons for ZTA

CVE-2024-21893

CVSS: 8.2 HIGH

A server-side vulnerability exists in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure & Ivanti Neurons for ZTA.  When exploited, a threat actor could access certain restricted resources without needing to authenticate.

While no threat actor use of CVE-2024-21888 has yet been discovered, there has been limited, targeted use of CVE-2024-21893. Following the disclosure of these vulnerabilities, exploitation of impacted services is suspected to increase.  Therefore, it is vital that the affected services are fully patched and updated to mitigate any risks.

The release of these vulnerabilities follows Ivanti’s research into vulnerabilities disclosed earlier in the month, CVE-2023-46805 and CVE-2024-21887 (previously reported here).  Given the volume of vulnerabilities coming from Ivanti at this time, it is expected that threat actors will put an increased focus on identifying more in order to exploit vulnerable users.

"Ivanti"/
Flash Alert

Flash Alert – Vulnerabilities reported in Ivanti ICS, Ivanti Policy Secure and Citrix NetScaler

In the past week, the following vulnerabilities have been disclosed, affecting:

  • Ivanti ICS
  • Ivanti Policy Secure
  • Citrix NetScaler ADC
  • Citrix NetScaler Gateway

Ivanti ICS & Ivanti Policy Secure

CVE-2023-46805

CVSS: 8.2 HIGH

CVE-2024-21887

CVSS: 9.1 CRITICAL

Ivanti has disclosed the existence of two significant vulnerabilities affecting their Connect Secure and Policy Secure gateways, specifically versions 9.x and 22.x.

CVE-2023-46805 is an authentication bypass vulnerability, which allows a threat actor to remotely access restricted resources by bypassing control checks.  CVE-2024-21887 is a command injection vulnerability, granting an authenticated user the ability to send specially crafted requests and execute arbitrary commands on the vulnerable device.

When utilised together, a threat actor can compromise a vulnerable device and execute code with admin rights, leaving the victim company open to a significant risk of network intrusion and further criminal activity.

Palo Alto’s Unit 42 has observed over 30,000 vulnerable devices spread across 141 countries. It is actively responding to incidents involving these vulnerabilities, highlighting their use by threat actors in the wild.

Ivanti is currently working on patches to fix these vulnerabilities.  In the meantime, it is recommended that the mitigations they have suggested are implemented to avoid unnecessary risk.  These can be found here.

Citrix NetScaler ADC & Citrix NetScaler Gateway

CVE-2023-6548

CVSS: 5.5 MEDIUM

CVE-2023-6549

CVSS: 8.2 HIGH

Citrix has identified and disclosed further vulnerabilities in its NetScaler ADC and NetScaler Gateway products.  The following supported versions are affected:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
  • NetScaler ADC 13.1-FIPS before 13.1-37.176
  • NetScaler ADC 12.1-FIPS before 12.1-55.302*
  • NetScaler ADC 12.1-NDcPP before 12.1-55.302*

*NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable

CVE-2023-6548 allows a threat actor authenticated, low-privileged access to remotely execute code on the management interface of a compromised device.  This requires them to have access to the NSIP, CLIP or SNIP which itself has management interface access.

CVE-2023-6549 applies to appliances configured as one of the following:

  • VPN virtual servers
  • ICA proxies
  • CVPNs
  • RDP proxies
  • AAA virtual servers

Exploitation of this vulnerability involves a threat actor restricting operations within the memory buffer, thereby causing an unauthenticated Denial of Service attack.

A patch will follow in due course, but in the meantime, Citrix recommends the following:

  • Ensure network traffic to the appliance’s management interface is separated, either physically or logically, from normal network traffic
  • Ensure the management interface is not exposed to the internet
  • Ensure all previous patches are installed and software is up-to-date

Citrix has noted that these vulnerabilities have been observed in the wild and targeted by threat actors.

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from - Youtube
Vimeo
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Spotify
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound