Exploit
CVE-2024-9380

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Oct 8, 2024 / Updated: 42d ago

010
CVSS 7.2EPSS 0.04%High
CVE info copied to clipboard

Summary

An OS command injection vulnerability exists in the admin web console of Ivanti CSA versions prior to 5.0.2. This vulnerability allows a remote authenticated attacker with admin privileges to execute arbitrary operating system commands on the affected system.

Impact

If exploited, this vulnerability could lead to remote code execution on the affected Ivanti CSA system. An attacker with admin privileges could potentially: 1. Execute arbitrary commands with the privileges of the web server process. 2. Access, modify, or delete sensitive data on the system. 3. Install malicious software or backdoors for persistent access. 4. Use the compromised system as a pivot point to attack other systems in the network. 5. Disrupt the availability of the Ivanti CSA service. The vulnerability has a CVSS v3.1 base score of 7.2 (High), indicating a significant potential impact on the confidentiality, integrity, and availability of the system.

Exploitation

There is no evidence that a public proof-of-concept exists. The vulnerability is actively being exploited in the wild and was added to the CISA Known Exploited Vulnerability list. Its exploitation has been reported by various sources, including bleepingcomputer.com.

Patch

A patch is available. Ivanti has addressed this vulnerability in version 5.0.2 of CSA. Organizations using affected versions should upgrade to version 5.0.2 or later to mitigate this vulnerability.

Mitigation

To mitigate this vulnerability: 1. Upgrade Ivanti CSA to version 5.0.2 or later as soon as possible. 2. If immediate patching is not possible, consider the following temporary measures: a. Restrict access to the admin web console to only trusted IP addresses. b. Implement strong authentication mechanisms for admin accounts. c. Monitor admin account activities closely for any suspicious behavior. 3. Conduct a thorough review of admin account privileges and remove unnecessary elevated permissions. 4. Implement network segmentation to isolate the Ivanti CSA system from other critical infrastructure. 5. Regularly audit and monitor system logs for any signs of exploitation attempts. 6. Keep all systems and software up to date with the latest security patches. Given the high severity and the potential for remote code execution, it is strongly recommended to prioritize the patching of this vulnerability in your remediation efforts.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9380. See article

Oct 8, 2024 at 4:08 PM / Dragon Security Threat Intelligence Feed
Exploitation in the Wild

Attacks in the wild have been reported by Dragon Security Threat Intelligence Feed. See article

CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 8, 2024 at 4:36 PM
CVE Assignment

NVD published the first details for CVE-2024-9380

Oct 8, 2024 at 5:15 PM
CVSS

A CVSS base score of 7.2 has been assigned.

Oct 8, 2024 at 5:20 PM / nvd
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (208266)

Oct 9, 2024 at 1:15 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 9, 2024 at 10:30 AM
Threat Intelligence Report

CVE-2024-9380 is a newly identified zero-day vulnerability in Ivanti's Cloud Services Appliance (CSA) that is actively exploited in the wild, allowing attackers to perform unauthorized actions, including SQL injections and remote code execution. There are no specific details provided about a CVSS score, proof-of-concept exploits, or available mitigations and patches, but the exploitation poses a significant threat to enterprises that have not upgraded to the latest patched versions. The vulnerability can be chained with CVE-2024-8963, indicating potential downstream impacts on other technologies relying on Ivanti CSA. See article

Oct 9, 2024 at 10:37 AM
Exploitation in the Wild

Attacks in the wild have been reported by CISA Known Exploited Vulnerability.

Oct 9, 2024 at 2:20 PM / CISA Known Exploited Vulnerability
Static CVE Timeline Graph

Affected Systems

Ivanti/endpoint_manager_cloud_services_appliance
+null more

Proof Of Exploit

https://www.cisa.gov/known-exploited-vulnerabilities-catalog
+null more

Patches

forums.ivanti.com
+null more

Attack Patterns

CAPEC-136: LDAP Injection
+null more

References

October Security Update
Our vulnerability management program is designed to enable us to find, fix and disclose vulnerabilities in collaboration with the broader security ecosystem, and communicate responsibly and transparently with customers. At Ivanti, our top priority is upholding our commitment to deliver and maintain secure products for our customers.
CVE-2024-9380: Ivanti Cloud Services Appliance Vulnerability – October 2024
Full System Compromise : If attackers exploit the flaw, they can alter or control key functions of the CSA, affecting secure access to cloud resources and remote networks. A critical vulnerability (CVE-2024-9380) in Ivanti’s Cloud Services Appliance exposes systems to remote code execution.
Cybersecurity Vulnerability News: October 2024 CVE Roundup
A critical cybersecurity vulnerability (CVE-2024-9379) in Ivanti Cloud Services Appliance (CSA) allows attackers to execute arbitrary commands remotely, potentially leading to unauthorized system access and compromise of sensitive information. A critical cybersecurity vulnerability (CVE-2024-47575) in Fortinet FortiManager allows for unauthorized access, exposing systems to full remote control and potential compromise of network security configurations.
See 11 more references

News

Weekly Detection Rule (YARA and Snort) Information – Week 1, November 2024
The following is the information on Yara and Snort rules (week 1, November 2024) collected and shared by the AhnLab TIP service. 0 YARA Rules 12 Snort Rules Detection name Source ET WEB_SPECIFIC_APPS PFsense Stored Cross-Site Scripting (CVE-2024-46538) https://rules.emergingthreatspro.com/open/ ET ATTACK_RESPONSE Observed ClickFix Powershell Delivery Page (Portuguese) https://rules.emergingthreatspro.com/open/ ET ATTACK_RESPONSE Observed ClickFix Powershell Delivery Page […] 게시물 Weekly Detection Rule (YARA and Snort) Information – Week 1, November 2024 이 ASEC 에 처음 등장했습니다.
CISA: CISA Adds Three Known Exploited Vulnerabilities to Catalog
CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog , based on evidence of active exploitation. CVE-2024-23113 Fortinet Multiple Products Format String Vulnerability CVE-2024-9379 Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability CVE-2024-9380 Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria .
CISA: CISA Adds Three Known Exploited Vulnerabilities to Catalog
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats.
CISA: CISA Adds Three Known Exploited Vulnerabilities to Catalog
CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog , based on evidence of active exploitation. CVE-2024-23113 Fortinet Multiple Products Format String Vulnerability CVE-2024-9379 Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability CVE-2024-9380 Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria .
CISA: CISA Adds Three Known Exploited Vulnerabilities to Catalog
CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog , based on evidence of active exploitation. CVE-2024-23113 Fortinet Multiple Products Format String Vulnerability CVE-2024-9379 Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability CVE-2024-9380 Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria .
See 173 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:High
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI