Ivanti has fixed a critical-severity flaw in its Virtual Traffic Manager (vTM), which if exploited could enable attackers to bypass authentication and create a user with administrator privileges.
The company said in a security advisory this week that it’s not aware of exploitation efforts against the flaw (CVE-2024-7593), but warned that a proof-of-concept exploit is publicly available.
Ivanti is urging customers to update to a fixed version for Ivanti vTM, which is its software-based application delivery controller. Currently, fixes are available for versions 22.2 (resolved with 22.2R1) and 22.7R1 (resolved with 22.7R2). Fixes for vTM versions 22.3, 22.3R2, 22.5R1 and 22.6R1 will be available the week of Aug. 19, said Ivanti.
“Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel,” according to Ivanti’s advisory.
Ivanti said that customers with a management interface “bound to an internal network or private IP address have significantly reduced their attack surface.”
“Upgrade to the available patch 22.2R1 (released 26 March 2024) or 22.7R2 (released 20 May 2024),” according to Ivanti. “Customers who have pointed their management interface to a private IP and restricted access can patch at their earliest convenience.”
On Tuesday, Ivanti also released fixes for its Neurons for IT Service Management (ITSM) software, including a critical information disclosure flaw (CVE-2024-7569) in Ivanti ITSM on-prem and Neurons for ITSM versions 2023.4 and earlier, and a high-severity bug (CVE-2024-7570) stemming from improper certificate validation in Ivanti ITSM on-prem and Neurons for ITSM Versions 2023.4 and earlier. The latter flaw could allow remote attackers to craft tokens that could allow access to ITSM as any user, said Ivanti.
Finally, the company on Tuesday also released fixes for five high-severity flaws (CVE-2024-38652, CVE-2024-38653, CVE-2024-36136, CVE-2024-37399, CVE-2024-37373) in Ivanti Avalanche, its enterprise mobility and management tool, which if exploited could enable a range of malicious activities, from denial of service to remote code execution. The flaws are patched in Ivanti Avalanche version 6.4.4.
“We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure,” said Ivanti. “These vulnerabilities were disclosed through our responsible disclosure program.”