Exploit
CVE-2024-9379

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Oct 8, 2024 / Updated: 42d ago

010
CVSS 7.2EPSS 0.04%High
CVE info copied to clipboard

Summary

SQL injection in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.

Impact

This vulnerability could allow an attacker with admin privileges to execute arbitrary SQL statements, potentially leading to unauthorized data access, modification, or deletion of database contents. The integrity and availability of the system are at high risk. Given the high privileges required for exploitation, the overall severity is moderate, with a CVSS v3.1 base score of 7.2 (High). The vulnerability affects the confidentiality, integrity, and availability of the system, all rated as "High" in the CVSS score. It's important to note that this vulnerability is being actively exploited in the wild and has been added to the CISA Known Exploited Vulnerabilities catalog, indicating a significant real-world threat.

Exploitation

There is no evidence that a public proof-of-concept exists. The vulnerability is actively being exploited in the wild and was added to the CISA Known Exploited Vulnerability list. Its exploitation has been reported by various sources, including bleepingcomputer.com.

Patch

A patch is available. Ivanti has released version 5.0.2 of CSA (Cloud Services Appliance) which addresses this vulnerability. All versions before 5.0.2 are affected and should be updated.

Mitigation

1. Update Ivanti CSA to version 5.0.2 or later as soon as possible. 2. Implement strong access controls and regularly audit admin accounts to minimize the risk of compromise. 3. Monitor and log all activities on the admin web console for any suspicious SQL queries. 4. Consider implementing additional security layers such as Web Application Firewalls (WAF) to help detect and prevent SQL injection attempts. 5. Conduct regular security assessments and penetration testing to identify and address similar vulnerabilities.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9379. See article

Oct 8, 2024 at 4:08 PM / Dragon Security Threat Intelligence Feed
Exploitation in the Wild

Attacks in the wild have been reported by Dragon Security Threat Intelligence Feed. See article

CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 8, 2024 at 4:36 PM
CVE Assignment

NVD published the first details for CVE-2024-9379

Oct 8, 2024 at 5:15 PM
CVSS

A CVSS base score of 6.5 has been assigned.

Oct 8, 2024 at 5:20 PM / nvd
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (208266)

Oct 9, 2024 at 1:15 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 9, 2024 at 10:30 AM
Threat Intelligence Report

CVE-2024-9379 is a critical zero-day vulnerability in Ivanti's Cloud Services Appliance (CSA) that is actively exploited in the wild, allowing attackers to perform unauthorized actions such as SQL injections and remote code execution. It can be chained with a previously patched vulnerability (CVE-2024-8963), posing a significant threat to enterprises that have not upgraded to the latest patched versions. There is no information provided on CVSS scores, proof-of-concept exploits, mitigations, detections, or downstream impacts on third-party vendors. See article

Oct 9, 2024 at 10:37 AM
Exploitation in the Wild

Attacks in the wild have been reported by CISA Known Exploited Vulnerability.

Oct 9, 2024 at 2:20 PM / CISA Known Exploited Vulnerability
Static CVE Timeline Graph

Affected Systems

Ivanti/endpoint_manager_cloud_services_appliance
+null more

Proof Of Exploit

https://www.cisa.gov/known-exploited-vulnerabilities-catalog
+null more

Patches

forums.ivanti.com
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

References

October Security Update
Our vulnerability management program is designed to enable us to find, fix and disclose vulnerabilities in collaboration with the broader security ecosystem, and communicate responsibly and transparently with customers. At Ivanti, our top priority is upholding our commitment to deliver and maintain secure products for our customers.
CVE-2024-9379: Ivanti Cloud Service Appliance Authenticated SQL Injection  
The SonicWall Capture Labs threat research team became aware of an authenticated SQL injection vulnerability affecting Ivanti Cloud Service Appliances (CSA). With Admin privileges, an attacker can compromise the Ivanti Server database by injecting crafted SQL queries into vulnerable versions of Ivanti CSA.
Cybersecurity Vulnerability News: October 2024 CVE Roundup
A critical cybersecurity vulnerability (CVE-2024-9379) in Ivanti Cloud Services Appliance (CSA) allows attackers to execute arbitrary commands remotely, potentially leading to unauthorized system access and compromise of sensitive information. A critical cybersecurity vulnerability (CVE-2024-47575) in Fortinet FortiManager allows for unauthorized access, exposing systems to full remote control and potential compromise of network security configurations.
See 9 more references

News

CISA: CISA Adds Three Known Exploited Vulnerabilities to Catalog
CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog , based on evidence of active exploitation. CVE-2024-23113 Fortinet Multiple Products Format String Vulnerability CVE-2024-9379 Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability CVE-2024-9380 Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria .
CISA: CISA Adds Three Known Exploited Vulnerabilities to Catalog
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats.
CISA: CISA Adds Three Known Exploited Vulnerabilities to Catalog
CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog , based on evidence of active exploitation. CVE-2024-23113 Fortinet Multiple Products Format String Vulnerability CVE-2024-9379 Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability CVE-2024-9380 Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria .
CISA: CISA Adds Three Known Exploited Vulnerabilities to Catalog
CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog , based on evidence of active exploitation. CVE-2024-23113 Fortinet Multiple Products Format String Vulnerability CVE-2024-9379 Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability CVE-2024-9380 Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria .
CISA: CISA Adds Three Known Exploited Vulnerabilities to Catalog
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats.
See 150 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:High
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI