Ivanti product security update advisory

Overview

 

An update has been released to address vulnerabilities in Ivanti products. Users of the affected versions are advised to update to the latest version.

 

Affected Products

 

CVE-2024-7569, CVE-2024-7570

• Ivanti Neurons for ITSM version: ~ 2023.4 (inclusive)

 

CVE-2024-7593

• Ivanti Virtual Traffic Manager version: ~ 22.2 (inclusive)
• Ivanti Virtual Traffic Manager version: ~ 22.3 (inclusive)
• Ivanti Virtual Traffic Manager versions: ~ 22.3R2 (inclusive)
• Ivanti Virtual Traffic Manager version: ~ 22.5R1 (inclusive)
• Ivanti Virtual Traffic Manager version: ~ 22.6R1 (inclusive)
• Ivanti Virtual Traffic Manager version: ~ 22.7R1 (inclusive)

 

CVE-2024-38652, CVE-2024-38653, CVE-2024-36136, CVE-2024-37399, CVE-2024-37373

• Ivanti Avalanche version: 6.3.1

 

Resolved Vulnerabilities

 

Information disclosure vulnerability could allow an unauthenticated attacker to obtain OIDC client passwords via debug information (CVE-2024-7569)

Improper certificate validation could allow a remote attacker in the MITM location to create a token that allows access to the ITSM as all users (CVE-2024-7570)

Admin panel authentication bypass vulnerability in Ivanti’s Virtual Traffic Manager (CVE-2024-7593)

Path traversal in the Skin Management component could allow remote, unauthenticated attackers to achieve a denial of service by deleting arbitrary files (CVE-2024-38652)

XXE in SmartDeviceServer allows remote, unauthenticated attackers to read arbitrary files on the server (CVE-2024-38653)

An error in WLInfoRailService could allow remote, unauthenticated attackers to cause the service to crash, resulting in a DoS (CVE-2024-36136)

NULL pointer dereference in WLAvalancheService could allow remote, unauthenticated attackers to crash the service, resulting in a DoS (CVE-2024-37399)

Improper input validation in the central file store could allow remote authenticated attackers with administrator privileges to achieve RCE (CVE-2024-37373)

 

Vulnerability Patches
 

 

With the latest update, the following product-specific vulnerability patches are available Please follow the instructions on the Referenced Sites[1] to update to the latest Vulnerability Patches version.

 

CVE-2024-7593

• Ivanti Virtual Traffic Manager version: 22.2R1
• Ivanti Virtual Traffic Manager version: 22.3R3  (scheduled for release 8/19-8/23)
• Ivanti Virtual Traffic Manager version: 22.3R3 (scheduled for release 8/19-8/23)
• Ivanti Virtual Traffic Manager version: 22.5R2 (scheduled for release 8/19-8/23)
• Ivanti Virtual Traffic Manager version: 22.6R2  (scheduled for release 8/19-8/23)
• Ivanti Virtual Traffic Manager version: 22.7R2

 

CVE-2024-38652, CVE-2024-38653, CVE-2024-36136, CVE-2024-37399, CVE-2024-37373

• Ivanti Avalanche version: 6.4.4

 

References

 

[1] Security Advisory: Ivanti Neurons for ITSM (CVE-2024-7569, CVE-2024-7570)

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Neurons-for-ITSM-CVE-2024-7569-CVE-2024-7570?language=en_US

[2] Security Advisory: Ivanti Virtual Traffic Manager (vTM ) (CVE-2024-7593)

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2024-7593?language=en_US

[3] Security Advisory Ivanti Avalanche 6.4.4 (CVE-2024-38652, CVE-2024-38653, CVE-2024-36136, CVE-2024-37399, CVE-2024-37373)

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-6-4-4-CVE-2024-38652-CVE-2024-38653-CVE-2024-36136-CVE-2024-37399-CVE-2024-37373?language=en_US