Ivanti Virtual Traffic Manager has been discovered with a critical vulnerability which was associated with authentication bypass. This vulnerability has been assigned with CVE-2024-7593 and the severity was given as 9.8 (Critical).
However, Ivanti has patched this vulnerability and released a security advisory to address it.
Ivanti confirmed that there is no evidence of active exploitation of this vulnerability, and a proof of concept for it is publicly available.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
Ivanti Virtual Traffic Manager Vulnerability
This vulnerability allows an unauthenticated remote threat actor to bypass the admin panel authentication and perform malicious actions.
Further, a threat actor can also create an administrator account on the vulnerable Ivanti instances as a backdoor.
This particular vulnerability exists due to the incorrect implementation of the authentication algorithm in Ivanti vTM. Nevertheless, this vulnerability exists in all versions of Ivanti vTM other than versions 22.2R1 or 22.7R2.
Ivanti customers who have their management interface inside an internal network or Private IP have reduced attack surface.
Ivanti also advises its users to restrict access to the management interface and ensure they are placed on a private IP with restricted access.
Additionally, Ivanti users are advised to upgrade their Ivanti instances with the latest available patch 22.2R1 (released 26 March 2024) or 22.7R2 (released 20 May 2024) for fixing this vulnerability.
Product Name
Affected Version(s)
Resolved Version(s)
Patch Availability
Ivanti Virtual Traffic Manager
22.2
22.2R1
Available
Ivanti Virtual Traffic Manager
22.3
22.3R3
Week of August 19th
Ivanti Virtual Traffic Manager
22.3R2
22.3R3
Week of August 19th
Ivanti Virtual Traffic Manager
22.5R1
22.5R2
Week of August 19th
Ivanti Virtual Traffic Manager
22.6R1
22.6R2
Week of August 19th
Ivanti Virtual Traffic Manager
22.7R1
22.7R2
Available
Affected version (Source: Ivanti)
Workaround
As a workaround for this vulnerability, Ivanti instructs their users to follow the below steps to limit Admin access to the Management interface internal on the network through private or corporate network. The steps are as follows:
In the VTM server, go to System > Security then click the drop down for the Management IP Address and Admin Server Port section
Click the “bindip“, select the Management Interface IP Address.
As an alternative, users can also use the setting directly above the “bindip” setting to restrict access to trusted IP addresses, further restricting who can access the interface.
Source ; Ivanti
To check if the instances are terminated, they can review the “Audit Logs Output” to see if an admin user is added.
Users are advised to keep all of the instances updated to the latest version to prevent the exploitation of this vulnerability. Ivanti also list End of Engineering and End of Support schedule for Ivanti vTM, it can be found here.
“We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure. These vulnerabilities were disclosed through our responsible disclosure program,” Ivanti added.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces
Comments
Post a Comment
Commenter vous !