DIVD-2024-00046 - Multiple critical vulnerablilties in Ivanti Cloud Services Appliance (CSA)
| Our reference | DIVD-2024-00046 |
| Case lead | Alwin Warringa |
| Researcher(s) |
|
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Upgrade the Ivanti CSA 4.6 to CSA 5.0 |
| Patch status | Patch available |
| Workaround | none |
| Status | Closed |
| Last modified | 06 Jan 2025 11:20 CET |
Summary
Ivanti has disclosed a critical vulnerability in Ivanti CSA 4.6 which was incidentally addressed in the patch released on 10 September (CSA 4.6 Patch 519). Successful exploitation could allow a remote unauthenticated attacker to access restricted functionality. If CVE-2024-8963 is used in conjunction with CVE-2024-8190 an attacker can bypass admin authentication and execute arbitrary commands on the appliance.
Recommendations
To remediate CVE-2024-8963 and CVE-2024-8190, update to version 5.0. You can find a link to the Ivanti CSA bulletin at the bottom of this post.
What we are doing
DIVD is currently working to identify parties that are running a vulnerable version of Ivanti CSA and to notify these parties.
Timeline
| Date | Description |
|---|---|
| 24 Sep 2024 | DIVD starts researching the vulnerability. |
| 11 Nov 2024 | DIVD finds fingerprint, preparing to scan. |
| 11 Nov 2024 | Case opened and starting first scan. |
| 20 Nov 2024 | Second scan. |
| 20 Nov 2024 | Mails sent out. |
| 06 Jan 2025 | DIVD sent out a second round of notifications. |
| 06 Jan 2025 | Case closed. |
gantt
title DIVD-2024-00046 - Multiple critical vulnerablilties in Ivanti Cloud Services Appliance (CSA)
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2024-00046 - Multiple critical vulnerablilties in Ivanti Cloud Services Appliance (CSA) (104 days) :2024-09-24, 2025-01-06
section Events
DIVD starts researching the vulnerability. : milestone, 2024-09-24, 0d
DIVD finds fingerprint, preparing to scan. : milestone, 2024-11-11, 0d
Case opened and starting first scan. : milestone, 2024-11-11, 0d
Second scan. : milestone, 2024-11-20, 0d
Mails sent out. : milestone, 2024-11-20, 0d
DIVD sent out a second round of notifications. : milestone, 2025-01-06, 0d
Case closed. : milestone, 2025-01-06, 0d