CVE-2024-39327 (CVSS 9.9): Critical IDPKI Flaw Could Allow Illegitimate Certificate Issuance

Eviden, an Atos business, has released a security bulletin addressing multiple vulnerabilities discovered in IDPKI, its Identity and Public Key Infrastructure solution. These vulnerabilities, tracked as CVE-2024-39327, CVE-2024-39328, and CVE-2024-51505, could potentially allow unauthorized access and privilege escalation, posing risks to organizations using the affected products.

While these flaws do not expose Certificate Authority (CA) private keys, they could enable unauthorized actions that compromise trust and integrity in IDPKI-managed environments.

CVE-2024-39327 (CVSS 9.9) allows unauthorized CA signing, potentially enabling an attacker to generate illegitimate certificates.
CVE-2024-39328 (CVSS 6.8) enables Config Admin users to exceed their privileges in a multi-partition environment, potentially exposing confidential data.
CVE-2024-51505 (CVSS 8.0) allows Config Admin users exploit a race condition to escalate their privileges.

Eviden has released patches to address these vulnerabilities and urges customers to update their IDPKI deployments as soon as possible. The company has also provided detailed mitigation strategies and workarounds to help organizations protect their systems while they implement the necessary updates. SaaS versions of IDPKI are not impacted by CVE-2024-39328 and CVE-2024-51505 due to role-based restrictions.

Product	Affected	Fixed Version
IDRA	Yes	2.7.1
IDRA SaaS	Partially (CVE-2024-39327 only)	2.7.1
IDCA	Yes (CVE-2024-39328 only)	2.7.0
IDCA SaaS	Not affected	N/A

At the time of publication, Eviden has not observed any real-world attacks exploiting these vulnerabilities. Eviden urges customers to apply patches immediately and use detection scripts to check for potential exploit activity.

Rate this post

Leave a Reply Cancel reply

Website

Related Posts:

Leave a Reply Cancel reply