Right this moment, Ivanti urged clients to patch a essential authentication bypass vulnerability impacting Digital Site visitors Supervisor (vTM) home equipment that may let attackers create rogue administrator accounts.
Ivanti vTM is a software-based software supply controller (ADC) that gives app-centric visitors administration and cargo balancing for internet hosting business-critical companies.
Tracked as CVE-2024-7593, this auth bypass vulnerability is because of an incorrect implementation of an authentication algorithm that permits distant unauthenticated attackers to bypass authentication on Web-exposed vTM admin panels.
“Ivanti launched updates for Ivanti Digital Site visitors Supervisor (vTM) which addressed a essential vulnerability. Profitable exploitation may result in authentication bypass and creation of an administrator consumer,” the corporate warned on Tuesday.
“We’re not conscious of any clients being exploited by this vulnerability on the time of disclosure. Nonetheless, a Proof of Idea is publicly accessible, and we urge clients to improve to the newest patched model. “
Ivanti advises admins to limit entry to the vTM administration interface by binding it to an inside community or personal IP handle to scale back the assault floor and block potential exploitation makes an attempt.
To restrict admin entry to the administration interface by way of the personal/company community, admins must:
- Navigate to System > Safety, then click on the drop-down for the Administration IP Deal with and Admin Server Port part of the web page.
- Within the ‘bindip’ drop-down, choose the Administration Interface IP Deal with or use the setting straight above the “bindip” setting to limit entry to trusted IP addresses, additional limiting who can entry the interface.
The safety flaw has been fastened in Ivanti vTM 22.2R1 and 22.7R2, with patches to be launched for the remaining supported variations over the approaching weeks.
Ivanti says it has no proof that the CVE-2024-7593 auth bypass has been exploited in assaults however suggested admins to test the Audit Logs Output for brand spanking new ‘user1’ or ‘user2’ admin customers added through the GUI or utilizing the publicly accessible exploit code.
Right this moment, Ivanti additionally warned admins to right away patch an data disclosure vulnerability (CVE-2024-7569) in Ivanti ITSM on-prem and Neurons for ITSM variations 2023.4 and earlier. This vulnerability can let unauthenticated attackers receive the OIDC shopper secret through debug data.
The corporate patched one other authentication bypass flaw (CVE-2024-22024) impacting Ivanti Join Safe, Coverage Safe, and ZTA gateways in February when it urged admins to safe weak home equipment instantly.
Ivanti VPN home equipment have been underneath assault since December 2023 utilizing exploits chaining the CVE-2023-46805 authentication bypass and the CVE-2024-21887 command injection flaws as zero days.
The corporate additionally warned of a 3rd zero-day (a server-side request forgery bug tracked as CVE-2024-21893) underneath mass exploitation in February, permitting risk actors to bypass authentication on unpatched ICS, IPS, and ZTA gateways.