THE THREAT
On August 12th, Ivanti disclosed a new critical vulnerability impacting Ivanti Virtual Traffic Manager (vTM). The vulnerability, tracked as CVE-2024-7593 (CVSS: 9.8), impacts Ivanti vTM versions 22.2, 22.3, 22.3R2, 22.5R1, 22.6R1, and 22.7R1. Exploitation would enable an unauthenticated remote threat actor with access to the management interface to bypass authentication, access the admin panel, and create new administrator users.
Proof-of-Concept (PoC) exploit code has been available for the vulnerability since at least August 5th. While attacks exploiting CVE-2024-7593 have not been identified at the time of writing, the eSentire Threat Intelligence team assesses that it is highly likely opportunistic threat actors will attempt to exploit CVE-2024-7593 in the immediate future. Organizations are strongly recommended to apply the available security patches or alternative mitigations as soon as possible.
What we’re doing about it
- eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to CVE-2024-7593
- The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities
What you should do about it
- After performing a business impact review, apply the relevant Ivanti security patches
- If patching is not immediately possible, Ivanti recommends that organizations restrict admin access to the management interface through private or corporate networks, to reduce the opportunity for exploitation
- Review Audit Logs Output for recently created 'user1' or 'user2' admin accounts; identification may indicate successful exploitation
- See the Ivanti advisory FAQ section for additional details
Additional information
Ivanti vTM is a software-based Application Delivery Controller (ADC), designed to manage traffic flow for large volumes of network activity efficiently. CVE-2024-7593 is due to the flawed implementation of an authentication algorithm in Ivanti vTM. Ivanti has released two fixed version (22.2R1, 22.7R2); additional updates are set to be released by Ivanti on August 19th (22.3R3, 22.3R3, 22.5R2, 22.6R2).
In addition to CVE-2024-7593, Ivanti has also disclosed multiple vulnerabilities impacting Ivanti Avalanche and Ivanti Neurons for ITSM. These vulnerabilities range in criticality and require patching, but there is currently no indication of either real-world attacks or PoC exploit code.
Threat actors have heavily targeted Ivanti vulnerabilities in the past, with zero-day vulnerabilities in Ivanti being disclosed in January 2024 and August 2023. As multiple threat actor groups have previously targeted Ivanti software, the potential impact of CVE-2024-7593 exploitation, and availability of PoC exploit code, it is highly likely that security researchers and threat actors will dedicate resources into investigating the most recent Ivanti vulnerabilities. Organizations are strongly recommended to remediate these vulnerabilities before exploitation is identified in the wild.
References:
[1] https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2024-7593?language=en_US
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-7593
[3] https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2024-7593?language=en_US#:~:text=Q%3A%20How%20can%20I%20tell%20if%20I%20have%20been%20compromised%3F%C2%A0
[4] https://help.ivanti.com/ps/help/en_US/VTM/22.x/userguide/ps-vtm-userguide/introducing_the_.htm#overview_2917896612_599577
[5] https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-6-4-4-CVE-2024-38652-CVE-2024-38653-CVE-2024-36136-CVE-2024-37399-CVE-2024-37373?language=en_US
[6] https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Neurons-for-ITSM-CVE-2024-7569-CVE-2024-7570?language=en_US
[7] https://www.esentire.com/security-advisories/ivanti-zero-day-vulnerability-cve-2023-38035
[8] https://www.esentire.com/security-advisories/third-ivanti-zero-day-vulnerability-cve-2024-21893
