Ivanti has released critical security updates to address a severe vulnerability in its Virtual Traffic Manager (vTM) that could allow unauthorized administrative access.
Tracked as CVE-2024-7593, the flaw has a CVSS score of 9.8 out of 10, indicating its severity. According to Ivanti's advisory, the vulnerability is due to an incorrect implementation of an authentication algorithm in vTM versions prior to 22.2R1 and 22.7R2. This issue permits a remote, unauthenticated attacker to bypass the admin panel’s authentication process.
The affected versions of vTM include:
* 22.2 (fixed in version 22.2R1)
* 22.3 (fixed in version 22.3R3, available the week of August 19, 2024)
* 22.3R2 (fixed in version 22.3R3, available the week of August 19, 2024)
* 22.5R1 (fixed in version 22.5R2, available the week of August 19, 2024)
* 22.6R1 (fixed in version 22.6R2, available the week of August 19, 2024)
* 22.7R1 (fixed in version 22.7R2)
As a temporary mitigation, Ivanti advises customers to restrict admin access to the management interface or limit access to trusted IP addresses. Although there is no current evidence of the flaw being exploited in the wild, the availability of a proof-of-concept (PoC) makes it crucial for users to apply the latest updates promptly.
In addition to this issue, Ivanti has addressed two other significant vulnerabilities in its Neurons for ITSM platform:
* CVE-2024-7569 (CVSS score: 9.6): An information disclosure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM versions 2023.4 and earlier that allows an unauthenticated attacker to access the OIDC client secret through debug information.
* CVE-2024-7570 (CVSS score: 8.3): An improper certificate validation issue in Ivanti ITSM on-prem and Neurons for ITSM versions 2023.4 and earlier, which enables a remote attacker in a man-in-the-middle position to craft a token that provides access to ITSM as any user.
These vulnerabilities, affecting versions 2023.4, 2023.3, and 2023.2, have been addressed in the respective patched versions.
Furthermore, Ivanti has patched five high-severity flaws (CVE-2024-38652, CVE-2024-38653, CVE-2024-36136, CVE-2024-37399, and CVE-2024-37373) in Ivanti Avalanche, which could lead to denial-of-service (DoS) conditions or remote code execution. These issues have been fixed in version 6.4.4.
Users are encouraged to update their systems to the latest versions to protect against these critical vulnerabilities.