PoC exploit for exploited Ivanti Cloud Services Appliance flaw released (CVE-2024-8190)
CVE-2024-8190, an OS command injection vulnerability in Ivanti Cloud Services Appliance (CSA) v4.6, is under active exploitation.
Details about the attacks are still unknown, but there may be more in the near future: Horizon3.ai researchers have published their analysis of the flaw and a PoC exploit for it.
About CVE-2024-8190
CVE-2024-8190 is a command injection vulnerability that can only be exploited if the attacker manages to log into the appliance’s admin login page first. According to Horizon3.ai researchers, that might not be a great hurdle in some cases.
“Successful exploitation could lead to unauthorized access to the device running the CSA. Dual-homed CSA configurations with eth0 as an internal network, as recommended by Ivanti, are at a significantly reduced risk of exploitation,” Ivanti explained in the security advisory.
But, unfortunately, not everyone follows recommendations.
“Users that accidentally swap the interfaces, or simply only have one interface configured, would expose the console to the internet,” Horizon3.ai’s Zach Hanley explained.
And while users are required to change the default login credentials (username: admin, password: admin) when logging in for the first time, a new password might not be strong enough to counter the disadvantage presented by non-existent rate limiting for login attempts.
“We theorize that most likely users who have been exploited have never logged in to the appliance, or due to lack of rate limiting may have had poor password hygiene and had weaker passwords,” Hanley added.
What to do?
CVE-2024-8190 affects only CSA v4.6 before Patch 519, which was released last week.
But Ivanti and CISA urge users to update to v5.0, which is not affected because the vulnerable functionality was removed. Also, v5.0 is the only one that’s still supported – v4.6 has reached end-of-life, and will not be receiving any more fixes or patches.
Ivanti says that “a limited number of customers” have been exploited. Those who suspect of having been victimized should review the CSA for modified or newly added administrative users.
“While inconsistent, some attempts may show up in the broker logs which are local to the system. We also recommend reviewing EDR alerts, if you have installed EDR or other security tools on your CSA,” the company advised.
Horizon3.ai has shared indicators of compromise that may be found in logs.
UPDATE (September 19, 2024, 04:50 a.m. ET):
With CSA v4.6 Patch 519, Ivanti has also incidentally addressed another zero-day exploited along with CVE-2024-8190: CVE-2024-8963, a path traversal vulnerability that allows a remote unauthenticated attacker to access restricted functionality.
“If CVE-2024-8963 is used in conjunction with CVE-2024-8190 an attacker can bypass admin authentication and execute arbitrary commands on the appliance,” says Ivanti.
“If you suspect compromise, Ivanti’s recommendation is that you rebuild your CSA with patch 519 (released 09/10/2024). We strongly recommend moving to CSA 5.0, where possible.”