CVE-2024-5671 (CVSS 9.8) Exposes Trellix Intrusion Prevention System to Remote Attacks
Trellix, a prominent cybersecurity provider, has issued urgent patches for two critical vulnerabilities discovered in its Intrusion Prevention System (IPS). The flaws, tracked as CVE-2024-5671 and CVE-2024-5731, leave unprotected systems vulnerable to remote code execution and unauthorized access.
A Dual Threat
The first vulnerability, CVE-2024-5671, stems from insecure deserialization within certain workflows of the IPS Manager. This flaw allows attackers to remotely inject malicious code and execute it on the targeted system, potentially leading to complete compromise. The severity of this vulnerability is underscored by its CVSS score of 9.8, classifying it as critical.
The second vulnerability, CVE-2024-5731, affects the communication workflow between the IPS Manager, Central Manager, and Local Manager. By manipulating the IP address parameter within requests, attackers can redirect communication to a server under their control. Additionally, they can decode an encoded string containing usernames and passwords, further compromising the system’s security. This vulnerability carries a CVSS score of 6.8, highlighting its potential for significant damage.
Far-Reaching Implications
Trellix IPS is a cornerstone for many organizations’ network security strategies. The discovered vulnerabilities could have severe consequences, including:
- Data breaches: Attackers could gain unauthorized access to sensitive data stored or transmitted across the network.
- Network disruption: Malicious code execution could lead to denial-of-service attacks or the spread of malware within the network.
- Lateral movement: Attackers could leverage compromised IPS systems to pivot and target other systems within the organization.
Urgent Action Recommended
Trellix has released patches for both vulnerabilities in version 11.1.7.84 of the IPS Manager and IPS Central Manager. Organizations using Trellix IPS are strongly urged to upgrade their systems immediately to mitigate the risk of exploitation.
The company has also provided detailed mitigation instructions for those unable to immediately patch their systems. These instructions can be found in the official security advisory on the Trellix website.
