Days after Ivanti introduced patches for a brand new vulnerability in its Join Safe and Coverage Safe merchandise, proof-of-concept exploit code has already been revealed for the flaw and safety firms are reporting exploitation makes an attempt within the wild. This follows a tough month for Ivanti clients who needed to deploy emergency mitigations and patches for 3 totally different zero-day vulnerabilities that had been being exploited within the wild.
The brand new vulnerability, tracked as CVE-2024-22024, is an XML exterior entity injection (XXE) within the SAML part of particular variations of Ivanti Join Safe, Ivanti Coverage Safe, and ZTA gateways. It permits an attacker to entry sure restricted sources with out authentication and is rated with a severity rating of 8.3 out of 10 (excessive) on the CVSS scale.
Ivanti credit researchers from safety agency watchTowr for locating and reporting the flaw, but additionally notes that it had already flagged that code as doubtlessly insecure internally. The watchTowr researchers mentioned in a report that they discovered the flaw whereas analyzing the patch for CVE-2024-21893, a server-side request forgery (SSRF) vulnerability within the SAML part that Ivanti disclosed on January 31 as a zero-day flaw that was being exploited in focused assaults.
The CVE-2024-21893 SSRF flaw itself was found by Ivanti whereas investigating two different zero-day vulnerabilities that had been introduced on January 10 and had been being exploited by a Chinese language superior persistent risk (APT) group. In response to those assaults, Ivanti first launched an XML-based mitigation that could possibly be utilized to affected units whereas the corporate labored on up to date variations for all affected software program releases.
Updates out there for the brand new Ivanti vulnerabilities
The updates for the 4 identified vulnerabilities — CVE-2023-46805 (authentication bypass), CVE-2024-21887 (command injection), CVE-2024-21888 (privilege escalation), and CVE-2024-21893 (SSRF within the SAML part) — had been lastly launched on January 31 and February 1.
Updates for the brand new CVE-2024-22024 (XXE injection) flaw had been launched on February 8. Ivanti mentioned these updates supersede the beforehand launched ones and famous that clients who reset their units to manufacturing facility reset when making use of the January 31 and February 1 patches don’t should do it once more now after making use of the February 8 updates. The manufacturing facility reset was required to filter out any potential implants and modifications made by attackers utilizing the earlier exploits.
