- 330/2024
- Critical
Ivanti has released security updates to fix several vulnerabilities across multiple Ivanti products.
The addressed vulnerabilities could allow the attacker to manipulate data, bypass security restrictions, perform denial of service attacks, or execute arbitrary code and gain access to the affected systems.
Sample of the addressed vulnerabilities:
1. Ivanti CSA Administrative Access Vulnerability (CVE-2024-11639):
- CVSS: 10.0
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. Ivanti Sentry Insecure Permissions Vulnerability (CVE-2024-8540):
- CVSS: 8.8
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Data Manipulation
The affected products:
- Ivanti Cloud Service Application (CSA).
- Ivanti Desktop and Server Management (DSM).
- Ivanti Connect Secure and Policy Secure.
- Ivanti Sentry.
- Ivanti Endpoint Manager (EPM).
- Ivanti Security Controls (iSec).
- Ivanti Neurons Agent Platform.
- Ivanti Neurons for Patch Management.
Vulnerabilities
- CVE-2024-11639
- CVE-2024-11772
- CVE-2024-11773
- CVE-2024-7572
- CVE-2024-37377
- CVE-2024-9844
- CVE-2024-37401
- CVE-2024-11633
- CVE-2024-11634
- CVE-2024-8540
- CVE-2024-10256
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.