Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management
Ivanti Vulnerability Again Forces Emergency Patches
Cloud Service Appliance Admin Panels Exposed a Pathway to the Internet for HackersCustomers of internet appliance maker Ivanti face yet another hackable vulnerability. The Utah company warned customers Friday about exploitation of a Cloud Service Appliance detected in the wild.
See Also: Ransomware Response Essential: Fixing Initial Access Vector
"A limited number of customers" running version 4.6 of the software, which allows enterprises to manage devices behind firewalls and can serve as proxy network access, have been hacked, the company said. Thae U.S. Cybersecurity and Infrastructure Agency added the vulnerability to its catalog of known exploited vulnerabilities, putting federal agencies on a three-week countdown clock to ensure they apply a patch.
The vulnerability, tracked as CVE-2024-8190, affects version 4.6 of the Cloud Service Appliance, which is at end of life. Ivanti said the vulnerability doesn't affect version 5 of the appliance; it released a patch on Sept. 10. One telltale sign of hacking, the company said, could be newly added admin users or modified admin accounts.
Ivanti gateway appliances earlier this year were at the center of an espionage hacking operation likely conducted by China. CISA was among the affected customers. The campaign thrust Ivanti into a spotlight maintained by researchers who have kept up a drumbeat of revelations of vulnerabilities in the company's products (see: Ivanti Uses End-of-Life Operating Systems, Software Packages).
Only days before this latest flaw, Ivanti patched a critical vulnerability in its Endpoint Manager product that could allow unauthenticated attackers gain remote code execution. The company has called the spike in discoveries of cybersecurity flaws a sign of progress and attributed it to intensified scanning and testing. "We agree with CISAs statement that the responsible discovery and disclosure of CVEs is 'a sign of healthy code analysis and testing community,'" it said.
The company said Cloud Service Appliance users with dual-homed configurations who followed best practices by designating eth0
as an internal network were far less at risk of being hacked. Exploiting the flaw requires hackers to authenticate into the appliance and have admin privileges, Ivanti said.
Researchers from Horizon3.ai posited that hackers able to exploit the flaw found appliances configured to accept internet connections through eth1
or that only had one interface configured. Attempting to reach the admin portal from the internet through eth0
resulted in a "403 Forbidden" message. When exposed to the internet, the Cloud Service Appliance admin portal did not rate-limit brute force attempts to find a working user name and password combination. Users who never logged onto the appliance might have also helped hackers, since the appliance shipped with a default credential of admin:admin
. A first-time logon triggered a credential update requirement.
"We theorize that most likely users who have been exploited have never logged in to the appliance, or due to lack of rate limiting may have had poor password hygiene and had weaker passwords," the researchers said.