Ivanti on Tuesday rolled out fixes to deal with a number of essential safety flaws in Endpoint Supervisor (EPM) that might be exploited to attain distant code execution below sure circumstances.
Six of the ten vulnerabilities – from CVE-2024-29822 by way of CVE-2024-29827 (CVSS scores: 9.6) – relate to SQL injection flaws that enable an unauthenticated attacker inside the similar community to execute arbitrary code.
The remaining 4 bugs — CVE-2024-29828, CVE-2024-29829, CVE-2024-29830, and CVE-2024-29846 (CVSS scores: 8.4) — additionally fall below the identical class with the one change being that they require the attacker to be authenticated.
The shortcomings affect the Core server of Ivanti EPM variations 2022 SU5 and prior.
The corporate has additionally addressed a high-severity safety flaw in Avalanche model 6.4.3.602 (CVE-2024-29848, CVSS rating: 7.2) that would allow an attacker to attain distant code execution by importing a specifically crafted file.
As well as, patches have been shipped for 5 different high-severity vulnerabilities: an SQL injection (CVE-2024-22059) and an unrestricted file add bug (CVE-2024-22060) in Neurons for ITSM, a CRLF injection flaw in Join Safe (CVE-2023-38551), and two native privilege escalation points within the Safe Entry consumer for Home windows (CVE-2023-38042) and Linux (CVE-2023-46810).
Ivanti harassed that there is no such thing as a proof of the failings being exploited within the wild or that they had been “introduced into our code development process maliciously” by way of a provide chain assault.
The event comes as particulars emerged a few essential flaw within the open-source model of the Genie federated Large Knowledge orchestration and execution engine developed by Netflix (CVE-2024-4701, CVSS rating: 9.9) that would result in distant code execution.
Described as a path traversal vulnerability, the shortcoming might be exploited to put in writing an arbitrary file on the file system and execute arbitrary code. It impacts all variations of the software program previous to 4.3.18.
The problem stems from the truth that Genie’s REST API is designed to just accept a user-supplied filename as a part of the request, thus permitting a malicious actor to craft a filename such that it will probably get away of the default attachment storage path and write a file with any user-specified identify to a path specified by the actor.
“Any Genie OSS users running their own instance and relying on the filesystem to store file attachments submitted to the Genie application may be impacted,” the maintainers stated in an advisory.
“Using this technique, it is possible to write a file with any user-specified filename and file contents to any location on the file system that the Java process has write access to – potentially leading to remote code execution (RCE).”
That stated, customers who don’t retailer the attachments regionally on the underlying file system usually are not prone to this subject.
“If successful, such an attack could fool a web application into reading and consequently exposing the contents of files outside of the document root directory of the application or the web server, including credentials for back-end systems, application code and data, and sensitive operating system files,” Distinction Safety researcher Joseph Beeton stated.
Earlier this month, the U.S. authorities warned of continued makes an attempt by menace actors to use listing traversal defects in software program to breach targets, calling on builders to undertake a safe by design strategy for eliminating such safety holes.
“Incorporating this risk mitigation at the outset – beginning in the design phase and continuing through product release and updates – reduces both the burden of cybersecurity on customers and risk to the public,” the federal government stated.
The disclosure additionally comes within the wake of assorted vulnerabilities (CVE-2023-5389 and CVE-2023-5390) in Honeywell’s Management Edge Unit Operations Controller (UOC) that may end up in unauthenticated distant code execution.
“An attacker already on an OT network would use a malicious network packet to exploit this vulnerability and compromise the virtual controller,” Claroty stated. “This attack could be carried out remotely in order to modify files, resulting in full control of the controller and the execution of malicious code.”
