Ivanti Connect Secure, Policy Secure and Secure Access Client Affected by Critical Vulnerabilities

Ivanti has released urgent security updates to address a range of vulnerabilities, including critical remote code execution (RCE) flaws, in its Connect Secure, Policy Secure, and Secure Access Client products. These vulnerabilities pose significant risks to organizations, potentially allowing attackers to gain unauthorized access, escalate privileges, and execute malicious code.

The most severe vulnerabilities, CVE-2024-38655, CVE-2024-38656, CVE-2024-39710, CVE-2024-39711, CVE-2024-39712, CVE-2024-11007, CVE-2024-11006, and CVE-2024-11005 (CVSS 9.1), are critical argument injection and command injection flaws that could allow a remote authenticated attacker with admin privileges to achieve RCE. Other vulnerabilities include:

• CVE-2024-47905, CVE-2024-47909 (CVSS 4.9): Stack-based buffer overflow vulnerabilities that could allow a remote authenticated attacker with admin privileges to cause a denial of service (DoS).
• CVE-2024-37400, CVE-2024-47907, CVE-2024-8495, CVE-2024-38649 (CVSS 7.5): Out-of-bounds read, null pointer dereference, and out-of-bounds write vulnerabilities that could allow a remote unauthenticated attacker to trigger an infinite loop or cause a DoS.
• CVE-2024-9420, CVE-2024-47906 (CVSS 8.8): A use-after-free vulnerability that could allow a remote authenticated attacker to achieve RCE, and excessive binary privileges that could allow a local authenticated attacker to escalate privileges.
• CVE-2024-39709 (CVSS 7.8): Incorrect file permissions that could allow a local authenticated attacker to escalate privileges.
• CVE-2024-11004 (CVSS 8.4): Reflected cross-site scripting (XSS) vulnerability that could allow a remote unauthenticated attacker to obtain admin privileges (user interaction required).
• CVE-2024-8539, CVE-2024-29211 (CVSS 7.1): Improper authorization and a race condition that could allow a local authenticated attacker to modify sensitive configuration files.
• CVE-2024-38654 (CVSS 4.4): Improper bounds checking that could allow a local authenticated attacker with admin privileges to cause a DoS.
• CVE-2024-9842 (CVSS 7.3): Incorrect permissions that could allow a local authenticated attacker to create arbitrary folders.
• CVE-2024-9843 (CVSS 5.0): A buffer over-read vulnerability that could allow a local unauthenticated attacker to cause a DoS.
• CVE-2024-37398, CVE-2024-7571 (CVSS 7.8): Insufficient validation and incorrect permissions that could allow a local authenticated attacker to escalate privileges.

Ivanti has addressed these vulnerabilities in the following versions:

• Ivanti Connect Secure 22.7R2.3
• Ivanti Policy Secure 22.7R1.2
• Ivanti Secure Access Client 22.7R4

Customers are strongly advised to update their products to the latest versions as soon as possible to mitigate the risk of potential attacks. Ivanti provides detailed information about these vulnerabilities and the patching process in its official security advisory.

Related Posts:

• Critical Vulnerabilities Discovered in Ivanti Connect Secure and Policy Secure
• CISA Adds Three Actively Exploited Security Vulnerabilities to KEV Catalog, Urges Urgent Patching
• Akamai Unveils New VPN Post-Exploitation Techniques: Major Vulnerabilities Discovered in Ivanti and FortiGate VPNs
• Ivanti Issues Patch for Critical Vulnerabilities in Endpoint Manager, Including CVE-2024-29847 (CVSS 10.0)
• Suspected Nation-State Adversary Exploits Ivanti CSA in a Series of Sophisticated Attacks