What is the Attack?Attackers are actively exploiting multiple zero-day vulnerabilities affecting Ivanti CSA (Cloud Services Appliance) that could lead an attacker to gain admin access, bypass security measures, run arbitrary SQL commands, and execute code remotely.The FortiGuard Incident Response (IR) team has been engaged in one of the compromised CSA (Cloud Services Appliance). As the investigation is still ongoing, more details about the campaign will be provided once available. CVE-2024-9379: SQL injection in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.CVE-2024-9380: An OS command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to obtain remote code execution.CVE-2024-9381: Path traversal in Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to bypass restrictions.CVE-2024-8963: Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.What is the recommended Mitigation?Ivanti has released updates for Ivanti CSA (Cloud Services Appliance) which addresses these vulnerabilities. Security Advisory Ivanti CSA (Cloud Services Appliance)In the advisory, Ivanti has mentioned that they have observed limited exploitation of CSA 4.6 when CVE-2024-9379 or CVE-2024-9380 are chained with CVE-2024-8963.What FortiGuard Coverage is available?FortiGuard recommends users apply the vendor’s fixes as mentioned in the advisory. FortiGuard Web Filtering service has blocked all the known Indicators of Compromise (IoCs) captured during the IR engagement.FortiGuard Antivirus service has blocked all the known malware used by the threat actor in the related campaign.FortiGuard IPS protection is available for CVE-2024-8963 “Ivanti.Cloud.Service.Appliance.datetime.Command.Injection” to defend against the attack targeting the vulnerable Ivanti CSA systems.FortiGuard IPS protection is currently being investigated for CVE-2024-9379, CVE-2024-9380, and CVE-2024-9381.The FortiGuard Incident Response team can be engaged to help with any suspected compromise.
Multiple vulnerabilities have been discovered in Ivanti products, the most severe of which could allow for remote code execution.
Ivanti EPMM is a mobile device management solution designed to secure mobile devices, apps and content.Ivanti Cloud Service Appliance (CSA) is an Internet appliance that provides secure communication and functionality over the Internet.Ivanti Velocity License Server is a server solution that ensures mobile devices have appropriate licenses for accessing business systems.Ivanti Avalanche is a mobile device management solution securing mobile devices across enterprise environments.Ivanti Connect Secure/Policy Secure is a VPN security solution.
Successful exploitation could allow for remote code execution in the context of the system. Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution.
Adobe is a software that is used for creating and publishing a wide variety of contents including graphics, photography, illustration, animation, multimedia, motion pictures and print.
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Brennan Conroy discovered that the .NET Kestrel web server did not
properly handle closing HTTP/3 streams under certain circumstances. An
attacker could possibly use this issue to achieve remote code execution.
This vulnerability only impacted .NET8. (CVE-2024-38229)
It was discovered that .NET components designed to process malicious input
were susceptible to hash flooding attacks. An attacker could possibly use
this issue to cause a denial of service, resulting in a crash.
(CVE-2024-43483)
It was discovered that the .NET System.IO.Packaging namespace did not
properly process SortedList data structures. An attacker could possibly
use this issue to cause a denial of service, resulting in a crash.
(CVE-2024-43484)
It was discovered that .NET did not properly handle the deserialization of
of certain JSON properties. An attacker could possibly use this issue to
cause a denial of service, resulting in a crash. (CVE-2024-43485)
