Four Critical Ivanti CSA Vulnerabilities Exploited—CISA and FBI Urge Mitigation

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have jointly issued a Cybersecurity Advisory to address the active exploitation of critical vulnerabilities in Ivanti Cloud Service Appliances (CSA). These Ivanti CSA Vulnerabilities —CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, and CVE-2024-9380—were exploited in September 2024 by threat actors to compromise victim networks.

Ivanti CSA Vulnerabilities Overview

The vulnerabilities being exploited include:

1. CVE-2024-8963: An administrative bypass vulnerability (Path Traversal) that allows unauthorized access to restricted features of the appliance.
2. CVE-2024-8190: An OS command injection vulnerability enabling threat actors to authenticate remotely and execute arbitrary commands.
3. CVE-2024-9379: A SQL injection vulnerability permitting attackers with administrative privileges to run malicious SQL statements.
4. CVE-2024-9380: A command injection vulnerability allowing remote code execution (RCE) when exploited by attackers with admin privileges.

Threat actors utilized two primary exploit chains: one combining CVE-2024-8963 with CVE-2024-8190 and CVE-2024-9380, and the other combining CVE-2024-8963 with CVE-2024-9379. These exploitations enabled initial access, RCE, credential theft, and the implantation of malicious webshells.

Affected Versions

• Vulnerabilities CVE-2024-8963, CVE-2024-8190, and CVE-2024-9380 impact Ivanti CSA 4.6x versions prior to build 519.
• CVE-2024-9379 and CVE-2024-9380 additionally affect CSA versions 5.0.1 and below.

Notably, Ivanti CSA 4.6 has reached end-of-life (EOL) and no longer receives security patches or updates. Users of version 4.6 are strongly advised to upgrade to the latest supported versions to mitigate these risks.

Key Findings from Incident Response

CISA and trusted third-party incident responders analyzed the attacks and found:

• Credential Theft and Lateral Movement: Attackers used the vulnerabilities to exfiltrate credentials and move laterally within compromised networks.
• Webshell Implantation: Webshells were deployed to maintain persistent access and execute malicious commands.
• Detection of Anomalous Activity: Organizations that detected and responded quickly successfully mitigated further exploitation.

Examples of Incident Response

Three victim organizations shared their experiences with CISA and the FBI:

1. Organization 1: Detected anomalous user account creation early, likely preventing lateral movement. They replaced compromised systems and upgraded them, limiting damage.
2. Organization 2: Leveraged an endpoint protection platform (EPP) that alerted defenders to malicious script execution. Webshell creation was prevented.
3. Organization 3: Used indicators of compromise (IOCs) from other victim organizations to detect and respond to the threat. They identified activity involving tools like Obelisk and GoGo Scanner, which generated large amounts of logs, aiding in detection.

Mitigation Measures

To counter these Ivanti CSA Vulnerabilities, CISA and FBI recommend the following steps:

1. Upgrade Software: Immediately upgrade to the latest supported version of Ivanti CSA. Note that Ivanti CSA 4.6 is EOL and unsupported.
2. Implement Endpoint Detection and Response (EDR): Deploy EDR solutions to monitor and alert on anomalous activity.
3. Log Network Activity: Maintain detailed logs of network traffic, user account behavior, and software activity to identify malicious behavior.
4. Patch Management: Ensure operating systems, software, and firmware are regularly updated. Apply patches within 24-48 hours of vulnerability disclosures to minimize exposure.

The advisory aligns with the MITRE ATT&CK® Matrix framework for Enterprise to detail threat actors’ activities. Tactics include initial access, credential dumping, and remote command execution.

CISA and FBI Guidance

Organizations should consider credentials and sensitive data within compromised Ivanti appliances to be at risk. Immediate action should be taken to analyze logs and artifacts for signs of malicious activity. The advisory provides specific detection methods and IOCs for defenders to utilize.

Additionally, network administrators and security professionals are encouraged to refer to CISA’s Known Exploited Vulnerabilities Catalog to stay informed on actively exploited vulnerabilities and emerging threats.

This advisory serves as a critical reminder of the importance of maintaining up-to-date software, rapid vulnerability patching, and effective threat detection strategies. Organizations relying on Ivanti CSA must prioritize upgrading to the latest versions and implementing robust security practices to defend against these attacks.