IT software company Ivanti on Tuesday announced patches for eight vulnerabilities in Neurons for ITSM, Avalanche, and Virtual Traffic Manager, including two critical-severity flaws.
Two security defects were resolved in Neurons for ITSM, including a critical-severity information disclosure issue that could allow “an unauthenticated attacker to obtain the OIDC client secret via debug information”. The bug is tracked as CVE-2024-7569 (CVSS score of 9.6).
Ivanti also announced patches for CVE-2024-7570 (CVSS score of 8.3), a high-severity improper certificate validation flaw that could allow a remote attacker in a man-in-the-middle (MiTM) position “to craft a token that would allow access to ITSM as any user”.
Ivanti announced patches for Neurons for ITSM versions 2023.2, 2023.3, and 2023.4. The company applied the fixes to all Neurons for ITSM Cloud landscapes on August 4.
The software company also announced the rollout of patches for a critical-severity bug in Virtual Traffic Manager (vTM ) that could be exploited remotely to bypass authentication and create an administrator user in the admin panel.
Tracked as CVE-2024-7593 (CVSS score of 9.8), the security defect was resolved with the release of vTM versions 22.2R1 and 22.7R2. Ivanti says patches will also be included in vTM versions 22.3R3, 22.5R2, and 22.6R2, which will be released next week.
On Tuesday, Ivanti also announced patches for five high-severity vulnerabilities in Avalanche, including four that could allow remote, unauthenticated attackers to mount denial-of-service (DoS) attacks or read arbitrary files on the server.
The fifth bug, an improper input validation issue, could be exploited to achieve remote code execution (RCE). However, an attacker would have to be authenticated as an administrator user to exploit the flaw.
All five security defects were resolved with the release of Avalanche version 6.4.4. Ivanti recommends that customers download the Avalanche installer and upgrade to the patched version of the product.
Ivanti says it is not aware of any of these vulnerabilities being exploited in the wild, but points out that a proof-of-concept (PoC) exploit is available for the critical vTM flaw.
Additional information can be found in Ivanti’s August security advisory.
Related: Ivanti Issues Hotfix for High-Severity Endpoint Manager Vulnerability
Related: Siemens Patches Power Grid Product Flaw Allowing Backdoor Deployment
Related: ExpressVPN User Data Exposed Due to Bug
Related: GitLab Security Update Patches Critical Vulnerability