Ivanti has unveiled a series of security updates designed to rectify four security flaws identified in its Connect Secure and Policy Secure Gateway solutions. These flaws, if exploited, could enable unauthorized code execution and trigger denial-of-service (DoS) attacks.
The vulnerabilities in question are as follows:
CVE-2024-21894 (CVSS score: 8.2): This critical vulnerability, a heap overflow problem within the IPSec component of both Ivanti Connect Secure and Policy Secure (versions 9.x, 22.x), could allow an unauthenticated attacker to issue specific requests that may crash the system. This could result in a DoS or, under certain conditions, allow for arbitrary code execution. CVE-2024-22052 (CVSS score: 7.5): Identified as a null pointer dereference flaw within the IPSec component of Ivanti Connect Secure and Policy Secure (versions 9.x, 22.x), this issue permits an unauthenticated attacker to cause service disruption through specially crafted requests, leading to a DoS. CVE-2024-22053 (CVSS score: 8.2): Another critical heap overflow flaw in the IPSec component of Ivanti Connect Secure and Policy Secure (versions 9.x, 22.x) that enables an unauthenticated attacker to crash the service or potentially read memory content through specially designed requests, thus causing a DoS or information leakage. CVE-2024-22023 (CVSS score: 5.3): An XML entity expansion (XEE) issue in the SAML component of Ivanti Connect Secure and Policy Secure (versions 9.x, 22.x), which allows an unauthenticated attacker to send crafted XML requests that lead to resource exhaustion and a temporary DoS. Despite facing multiple security vulnerabilities in its products since the start of the year, Ivanti has confirmed that there have been no known cases of these vulnerabilities being exploited among its customer base as of the disclosure date.
Cybersecurity Updates
Following the discovery of significant vulnerabilities in its offerings, Ivanti has also issued patches for its Standalone Sentry product (CVE-2023-41724, CVSS score: 9.6), which previously allowed unauthenticated attackers to run arbitrary commands on the system.
Moreover, a critical vulnerability in the on-premises versions of Neurons for ITSM (CVE-2023-46808, CVSS score: 9.9) was fixed. This vulnerability could have been exploited by an authenticated remote attacker to perform unauthorized file writes, leading to code execution.
Jeff Abbott, Ivanti’s CEO, in a letter published on April 3, 2023, underscored the firm’s dedication to thoroughly evaluating and improving its security practices and measures to effectively counter the evolving cybersecurity threats.