Ivanti has rolled out safety updates for a vital flaw in Digital Visitors Supervisor (vTM) that might be exploited to realize an authentication bypass and create rogue administrative customers.
The vulnerability, tracked as CVE-2024-7593, has a CVSS rating of 9.8 out of a most of 10.0.
“Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel,” the corporate stated in an advisory.
It impacts the next variations of vTM –
- 22.2 (mounted in model 22.2R1)
- 22.3 (mounted in model 22.3R3, obtainable week of August 19, 2024)
- 22.3R2 (mounted in model 22.3R3, obtainable week of August 19, 2024)
- 22.5R1 (mounted in model 22.5R2, obtainable week of August 19, 2024)
- 22.6R1 (mounted in model 22.6R2, obtainable week of August 19, 2024)
- 22.7R1 (mounted in model 22.7R2)
As non permanent mitigation, Ivanti is recommending prospects to restrict admin entry to the administration interface or prohibit entry to trusted IP addresses.
Whereas there is no such thing as a proof that the flaw has been exploited within the wild, it acknowledged the general public availability of a proof-of-concept (PoC), making it important that customers apply the newest fixes as quickly as potential.
Individually, Ivanti has additionally addressed two shortcomings in Neurons for ITSM that would end in data disclosure and acquire unauthorized entry to the units as any person –
- CVE-2024-7569 (CVSS rating: 9.6) – An data disclosure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM variations 2023.4 and earlier permits an unauthenticated attacker to acquire the OIDC shopper secret through debug data
- CVE-2024-7570 (CVSS rating: 8.3) – Improper certificates validation in Ivanti ITSM on-prem and Neurons for ITSM Variations 2023.4 and earlier permits a distant attacker in a MITM place to craft a token that will enable entry to ITSM as any person
The problems, which have an effect on variations 2023.4, 2023.3, and 2023.2, have been resolved in variations 2023.4 w/ patch, 2023.3 w/ patch, and 2023.2 w/ patch, respectively.
Additionally patched by the corporate are 5 high-severity flaws (CVE-2024-38652, CVE-2024-38653, CVE-2024-36136, CVE-2024-37399, and CVE-2024-37373) in Ivanti Avalanche that might be exploited to realize a denial-of-service (DoS) situation or distant code execution. They’ve been mounted in model 6.4.4.