Days after Ivanti introduced patches for a brand new vulnerability in its Join Safe and Coverage Safe merchandise, proof-of-concept exploit code has already been printed for the flaw and safety corporations are reporting exploitation makes an attempt within the wild. This follows a tough month for Ivanti prospects who needed to deploy emergency mitigations and patches for 3 completely different zero-day vulnerabilities that had been being exploited within the wild.
The brand new vulnerability, tracked as CVE-2024-22024, is an XML exterior entity injection (XXE) within the SAML element of particular variations of Ivanti Join Safe, Ivanti Coverage Safe, and ZTA gateways. It permits an attacker to entry sure restricted sources with out authentication and is rated with a severity rating of 8.3 out of 10 (excessive) on the CVSS scale.
Ivanti credit researchers from safety agency watchTowr for locating and reporting the flaw, but additionally notes that it had already flagged that code as probably insecure internally. The watchTowr researchers stated in a report that they discovered the flaw whereas analyzing the patch for CVE-2024-21893, a server-side request forgery (SSRF) vulnerability within the SAML element that Ivanti disclosed on January 31 as a zero-day flaw that was being exploited in focused assaults.
The CVE-2024-21893 SSRF flaw itself was found by Ivanti whereas investigating two different zero-day vulnerabilities that had been introduced on January 10 and had been being exploited by a Chinese language superior persistent risk (APT) group. In response to those assaults, Ivanti first launched an XML-based mitigation that might be utilized to affected gadgets whereas the corporate labored on up to date variations for all affected software program releases.
Updates obtainable for the brand new Ivanti vulnerabilities
The updates for the 4 recognized vulnerabilities — CVE-2023-46805 (authentication bypass), CVE-2024-21887 (command injection), CVE-2024-21888 (privilege escalation), and CVE-2024-21893 (SSRF within the SAML element) — had been lastly launched on January 31 and February 1.
Updates for the brand new CVE-2024-22024 (XXE injection) flaw had been launched on February 8. Ivanti stated these updates supersede the beforehand launched ones and famous that prospects who reset their gadgets to manufacturing facility reset when making use of the January 31 and February 1 patches don’t should do it once more now after making use of the February 8 updates. The manufacturing facility reset was required to filter any potential implants and modifications made by attackers utilizing the earlier exploits.
