Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Ivanti Patches Critical Flaws in Connect Secure, Cloud Services Application

Ivanti has released patches for critical vulnerabilities in Cloud Services Application, Connect Secure, and Policy Secure.

Ivanti vulnerability

Ivanti on Tuesday announced patches for 11 vulnerabilities in its products, including five critical-severity bugs in Cloud Services Application, Connect Secure, and Policy Secure.

The most severe of these issues is CVE-2024-11639 (CVSS score of 10/10), an authentication bypass affecting the Cloud Services Application (CSA) secure communication solution.

Affecting the administrator web console of the enterprise solution, the flaw allows remote, unauthenticated attackers to access CSA with administrative privileges.

The admin web console was also found vulnerable to a command injection bug (CVE-2024-11772, CVSS score of 9.1), and an SQL injection defect (CVE-2024-11773, CVSS score of 9.1), that could allow remote attackers with administrative privileges to execute arbitrary code or run arbitrary SQL statements.

Ivanti addressed all three flaws in CSA version 5.0.3 and has credited CrowdStrike for finding and reporting them. Users are advised to update their appliances as soon as possible.

On Tuesday, the company also announced fixes for two critical-severity security defects in Connect Secure (ICS) and Ivanti Policy Secure (IPS) that could lead to remote code execution (RCE).

The issues, tracked as CVE-2024-11633 and CVE-2024-11634 (CVSS score of 9.1), are described as argument injection and command injection bugs. Both can be exploited remotely by authenticated attackers, but only the latter impacts both ICS and IPS.

Ivanti addressed the flaws with the release of ICS version 22.7R2.4 and IPS version 22.7R1.2. The ICS update also resolves three high-severity flaws leading to restrictions bypass and unauthenticated denial-of-service (DoS).

Advertisement. Scroll to continue reading.

High-severity security defects addressed in Sentry, Desktop and Server Management (DSM), and Patch SDK could allow attackers to modify sensitive application components or delete arbitrary files.

Tracked as CVE-2024-10256, the Patch SDK flaw also affects Endpoint Manager (EPM), Security Controls, Neurons Agent, Neurons for Patch Management, and Patch for Configuration Manager.

“We have no evidence of any of these vulnerabilities being exploited in the wild,” Ivanti says. 

Additional information can be found in the company’s December security update post.

Related: SAP Patches Critical Vulnerability in NetWeaver

Related: Adobe Patches Over 160 Vulnerabilities Across 16 Products

Related: Ivanti Patches 50 Vulnerabilities Across Several Products

Related: Many European CISOs Shift Focus to Mobile Security: Survey

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.