Threat Actors Exploiting Ivanti Cloud Gateway Vulnerability

Ivanti has revealed that a high-severity vulnerability in its Cloud Services Appliance (CSA) solution is now being actively exploited in cyberattacks.

Ivanti, headquartered in Utah, United States is an asset management software system used to remotely inventory and manage desktop computers. It is used by over 40,000 companies worldwide. The software has the ability to report on installed software and hardware, allow remote assistance, and install security patches.

“When we disclosed the vulnerability on September 10, there were no reports of customers being affected. However, by the time of our September 13 update, we confirmed that a limited number of customers had been targeted following the public disclosure,” Ivanti stated in an update to its August advisory.

The company emphasized that CSA configurations using ETH-0 as an internal network, as recommended by Ivanti, are at a significantly lower risk of being compromised. Ivanti also urges administrators to inspect configuration settings and access rights for any new or altered administrative users to detect signs of exploitation. Some activities may be logged in the broker logs, though this is not always reliable. Additionally, they advise monitoring alerts from Endpoint Detection and Response (EDR) systems or other security tools.

This vulnerability (CVE-2024-8190) allows remote, authenticated attackers with administrative access to execute remote code on vulnerable appliances running Ivanti CSA 4.6 through command injection. To mitigate the risk, Ivanti recommends upgrading from CSA 4.6.x, which has reached End-of-Life status, to the supported CSA 5.0 version.

“CSA 4.6 Patch 518 users can also upgrade to Patch 519. However, since this version is no longer supported, we strongly advise upgrading to CSA 5.0. Customers already on CSA 5.0 do not need to take further action,” Ivanti added. The Ivanti CSA acts as a gateway, allowing external users secure access to internal enterprise resources.

Federal Agencies Given October 4 Deadline for Patching

CISA also included the Ivanti CSA vulnerability (CVE-2024-8190) in its Known Exploited Vulnerabilities catalog. As per Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must secure affected appliances by October 4.

In its advisory Friday, CISA noted that “a cyber threat actor could exploit this vulnerability to take control of an affected system.”

Earlier in the week, Ivanti addressed another critical flaw in its Endpoint Management (EPM) software, which could allow unauthenticated attackers to gain remote code execution on the core server. Ivanti also patched nearly two dozen other high and critical vulnerabilities across its EPM, Workspace Control (IWC), and CSA products.

Ivanti has ramped up internal scanning and testing efforts in recent months, aiming to improve its vulnerability disclosure processes to handle security issues more quickly.

“This has led to an increase in the discovery and disclosure of vulnerabilities, and we support CISA’s stance that responsible disclosure of CVEs reflects a strong commitment to code analysis and testing,” Ivanti stated.