Security Advisory

Ivanti Product Line Security Update Advisory

  • Dec 12 2024

Overview

 

An update has been released to address vulnerabilities in Ivanti Product Line. Users of the affected versions are advised to update to the latest version.
 

 

Affected Products

 

CVE-2024-11639, CVE-2024-11772, CVE-2024-11773

  • Ivanti Cloud Services Application (CSA) versions: ~ 5.0.2 (inclusive)

 

CVE-2024-8540

  • Ivanti Sentry versions: ~ 9.20.1 (inclusive)
  • Ivanti Sentry versions: ~ 10.0.1 (inclusive)

 

CVE-2024-10256

  • Ivanti Endpoint Manager (EPM) versions: ~ 2024 September Security Update (inclusive)
  • Ivanti Endpoint Manager (EPM) versions: ~ 2022 SU6 (inclusive)
  • Ivanti Security Controls (iSec) versions: ~ 2024.3.2 (9.6.9365.0) (inclusive)
  • Ivanti Patch for Configuration Manager versions: ~ 2024.3 (2.5.1058) (inclusive)
  • Ivanti Neurons for Patch Management versions: ~ 2024.3 (1.1.55.0) (inclusive)
  • Ivanti Neurons Agent Platform versions: ~ 2024.1 (9.6.771) (inclusive)

 

CVE-2024-7572

  • Ivanti Desktop and Server Management (DSM) version: 2024.2

 

 

Resolved Vulnerabilities

 

Vulnerability in the Administrator Web Console that allows remote unauthenticated attackers to gain administrator privileges via authentication bypass (CVE-2024-11639)

Command injection vulnerability in the Administrator web console that could allow remote authenticated administrator privileged attackers to perform remote code execution (CVE-2024-11772)

SQL injection vulnerability in the Administrator web console that could allow remote authenticated, administrator privileged attackers to execute arbitrary SQL commands (CVE-2024-11773)

Insecure permission setting could allow a locally authenticated attacker to modify sensitive application components (CVE-2024-8540)

Vulnerability that could allow a locally authenticated attacker to delete arbitrary files due to insufficient permission settings (CVE-2024-10256, CVE-2024-7572)

 

 

Vulnerability Patches

Vulnerability patches were made available in the latest update. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

 

CVE-2024-11639, CVE-2024-11772, CVE-2024-11773

  • Ivanti Cloud Services Application (CSA) version: 5.0.3

 

CVE-2024-8540

  • Ivanti Sentry version: 9.20.2
  • Ivanti Sentry version: 10.0.2
  • Ivanti Sentry version: 10.1.0

 

CVE-2024-10256

  • Ivanti Endpoint Manager (EPM) version: 2024 November Security Update
  • Ivanti Endpoint Manager (EPM) version: 2022 SU6 November Security Update
  • Ivanti Security Controls (iSec) version: 2024.4 (9.6.9375.0)
  • Ivanti Patch for Configuration Manager version: 2024.4 (2.5.1129.0)
  • Ivanti Neurons for Patch Management version: 2024.4 (1.1.67.0)
  • Ivanti Neurons Agent Platform version: 2024.4 (9.6.839)

 

CVE-2024-7572

  • Ivanti Desktop and Server Management (DSM) version: 2024.3.5740

 

 

Referenced Sites

 

[1] Security Advisory Ivanti Cloud Services Application (CSA) (CVE-2024-11639, CVE-2024-11772, CVE-2024-11773)

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-Services-Application-CSA-CVE-2024-11639-CVE-2024-11772-CVE-2024-11773?language=en_US

[2] Security Advisory Ivanti Sentry (CVE-2024-8540)

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2024-8540?language=en_US

[3] Security Advisory Ivanti Patch SDK (CVE-2024-10256)

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Patch-SDK-CVE-2024-10256?language=en_US

[4] Security Advisory Ivanti Desktop and Server Management (DSM) (CVE-2024-7572)

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Desktop-and-Server-Management-DSM-CVE-2024-7572?language=en_US

Tags:

Previous Post

Next Post