Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Ivanti Patches Critical Vulnerabilities in Neurons for ITSM, Virtual Traffic Manager

Ivanti has released patches for multiple vulnerabilities in Neurons for ITSM, Avalanche, and Virtual Traffic Manager, including critical bugs.

IT software company Ivanti on Tuesday announced patches for eight vulnerabilities in Neurons for ITSM, Avalanche, and Virtual Traffic Manager, including two critical-severity flaws.

Two security defects were resolved in Neurons for ITSM, including a critical-severity information disclosure issue that could allow “an unauthenticated attacker to obtain the OIDC client secret via debug information”. The bug is tracked as CVE-2024-7569 (CVSS score of 9.6).

Ivanti also announced patches for CVE-2024-7570 (CVSS score of 8.3), a high-severity improper certificate validation flaw that could allow a remote attacker in a man-in-the-middle (MiTM) position “to craft a token that would allow access to ITSM as any user”.

Ivanti announced patches for Neurons for ITSM versions 2023.2, 2023.3, and 2023.4. The company applied the fixes to all Neurons for ITSM Cloud landscapes on August 4.

The software company also announced the rollout of patches for a critical-severity bug in Virtual Traffic Manager (vTM ) that could be exploited remotely to bypass authentication and create an administrator user in the admin panel.

Tracked as CVE-2024-7593 (CVSS score of 9.8), the security defect was resolved with the release of vTM versions 22.2R1 and 22.7R2. Ivanti says patches will also be included in vTM versions 22.3R3, 22.5R2, and 22.6R2, which will be released next week.

On Tuesday, Ivanti also announced patches for five high-severity vulnerabilities in Avalanche, including four that could allow remote, unauthenticated attackers to mount denial-of-service (DoS) attacks or read arbitrary files on the server.

The fifth bug, an improper input validation issue, could be exploited to achieve remote code execution (RCE). However, an attacker would have to be authenticated as an administrator user to exploit the flaw.

Advertisement. Scroll to continue reading.

All five security defects were resolved with the release of Avalanche version 6.4.4. Ivanti recommends that customers download the Avalanche installer and upgrade to the patched version of the product.

Ivanti says it is not aware of any of these vulnerabilities being exploited in the wild, but points out that a proof-of-concept (PoC) exploit is available for the critical vTM flaw. 

Additional information can be found in Ivanti’s August security advisory.

Related: Ivanti Issues Hotfix for High-Severity Endpoint Manager Vulnerability

Related: Siemens Patches Power Grid Product Flaw Allowing Backdoor Deployment

Related: ExpressVPN User Data Exposed Due to Bug

Related: GitLab Security Update Patches Critical Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Mike Byron has been named Chief Financial Officer (CFO) at Exabeam.

Ex-GitHub chief technology officer Mike Hanley has joined GM as CISO.

Network security and compliance assurance firm Titania has appointed Victoria Dimmick as CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.