Summary
Ivanti has disclosed a critical authentication bypass vulnerability, designated CVE-2024-11639, in its Cloud Services Appliance (CSA) solution, which could allow remote attackers to gain administrative privileges without authentication. The flaw affects CSA version 5.0.2 and earlier, with Ivanti advising immediate upgrades to version 5.0.3. While there is no evidence of exploitation in the wild, this vulnerability marks the sixth CSA flaw addressed in recent months, following a series of actively exploited vulnerabilities in Ivanti products.
Community Impact
Retail and hospitality sectors, which rely heavily on IT infrastructure to manage customer data, supply chains, and payment systems, face elevated risks from vulnerabilities like CVE-2024-11639. Exploitation of such flaws could allow attackers to infiltrate corporate networks, disrupt operations, or exfiltrate sensitive data, including customer information. If attackers leverage such vulnerabilities, businesses in these sectors could face financial losses, reputational damage, and regulatory penalties for failing to safeguard customer data. RH-ISAC Core Member are advised to review the intelligence contained in this report, the original report, linked above, and patch Ivanti CSA, if applicable, as soon as technically feasible to 5.0.3.
Technical Analysis
The newly disclosed CVE-2024-11639 is an authentication bypass vulnerability affecting Ivanti’s Cloud Services Appliance (CSA) version 5.0.2 and earlier. The flaw allows attackers to gain administrative privileges remotely without authentication, making it highly critical. The vulnerability arises from an alternate path or channel that bypasses normal authentication checks, which attackers could exploit to compromise the appliance fully.
Ivanti has released a patch in version 5.0.3 and strongly advises immediate updates. This vulnerability is part of a broader pattern, as Ivanti patched five other CSA flaws in recent months, including remote code execution, SQL injection, OS command injection, and path traversal vulnerabilities. Notably, several earlier vulnerabilities, such as CVE-2024-8963, were already exploited in the wild, with attackers chaining them for advanced attacks like bypassing security restrictions and executing arbitrary code.
Despite no evidence of CVE-2024-11639 exploitation to date, the history of actively exploited zero-days in Ivanti’s ecosystem raises concerns, as these flaws have been used in attacks targeting Ivanti VPN appliances and other gateways.
