Ivanti Connect Secure and Policy Secure Updates Address Critical Vulnerabilities

Ivanti, a leader in unified endpoint and enterprise service management, has issued patches for several high and critical vulnerabilities affecting its Connect Secure and Policy Secure solutions. These updates are essential for ensuring secure operations, as the vulnerabilities could lead to remote code execution (RCE), denial of service (DoS), and security bypasses.

• CVE-2024-11633 (CVSS 9.1): Argument Injection (Critical)

A critical argument injection vulnerability in Ivanti Connect Secure (versions prior to 22.7R2.4) allows remote authenticated attackers with admin privileges to achieve remote code execution.

• CVE-2024-11634 (CVSS 9.1): Command Injection (Critical)

Command injection vulnerabilities in Ivanti Connect Secure and Policy Secure (versions prior to 22.7R2.3 and 22.7R1.2, respectively) enable attackers with admin privileges to achieve remote code execution.

• CVE-2024-37377 & CVE-2024-37401: Heap-Based Buffer Overflow and Out-of-Bounds Read

These vulnerabilities in the IPsec implementation of Ivanti Connect Secure allow remote unauthenticated attackers to cause denial of service.

• CVE-2024-9844: Insufficient Server-Side Controls (High)

A vulnerability in the Secure Application Manager of Ivanti Connect Secure allows remote authenticated attackers to bypass restrictions.

The critical vulnerabilities (CVE-2024-11633 and CVE-2024-11634) pose a significant risk to users of the 9.1Rx line of code. However, Ivanti has stated that these vulnerabilities will not be patched in the 9.x version of the software. The company advises customers to restrict Management interface access to an internal network to mitigate the risk.

It’s important to note that the 9.1Rx line of code will reach end of support on December 31, 2024. Patches for this line are provided on a ‘best effort’ basis. Ivanti strongly encourages customers to upgrade to Connect Secure 22.7 to benefit from the latest security updates.

These vulnerabilities have been addressed in the latest versions of the products:

• Ivanti Connect Secure 22.7R2.4
• Ivanti Policy Secure 22.7R1.2

Customers are urged to update their products immediately to mitigate the risk of exploitation. The updates are available through the Ivanti download portal.

Related Posts:

• Ivanti Connect Secure, Policy Secure and Secure Access Client Affected by Critical Vulnerabilities
• Critical Vulnerabilities Discovered in Ivanti Connect Secure and Policy Secure
• CISA Adds Three Actively Exploited Security Vulnerabilities to KEV Catalog, Urges Urgent Patching
• Suspected Nation-State Adversary Exploits Ivanti CSA in a Series of Sophisticated Attacks
• Ivanti’s Critical Security Alert: Two Zero-Days Exploited in the Wild