Ivanti has recently released crucial security updates to address a critical vulnerability in Virtual Traffic Manager (vTM) that could potentially lead to an authentication bypass and the creation of unauthorized administrative users.
The vulnerability, identified as CVE-2024-7593, boasts a CVSS score of 9.8 out of 10.0, reflecting its severity.
“Ivanti vTM versions 22.2R1 or 22.7R2 are not affected by this vulnerability, which arises from an incorrect implementation of an authentication algorithm,” the company mentioned in a security advisory.
The impacted vTM versions include:
- 22.2 (resolved in version 22.2R1)
- 22.3 (fixed in version 22.3R3, available week of August 19, 2024)
- 22.3R2 (addressed in version 22.3R3, available week of August 19, 2024)
- 22.5R1 (patched in version 22.5R2, available week of August 19, 2024)
- 22.6R1 (fixed in version 22.6R2, available week of August 19, 2024)
- 22.7R1 (resolved in version 22.7R2)
As a temporary mitigation measure, Ivanti advises customers to restrict admin access to the management interface or limit access to trusted IP addresses.
While there have been no reported incidents of exploitation in the wild, the existence of a proof-of-concept (PoC) necessitates prompt application of the latest security updates by users.
Additionally, Ivanti has addressed two vulnerabilities in Neurons for ITSM:
- CVE-2024-7569 (CVSS score: 9.6) – Information disclosure vulnerability impacting Ivanti ITSM and Neurons for ITSM versions 2023.4 and earlier.
- CVE-2024-7570 (CVSS score: 8.3) – Improper certificate validation affecting Ivanti ITSM and Neurons for ITSM Versions 2023.4 and earlier.
These issues have been resolved in subsequent patch versions.
Furthermore, Ivanti has fixed five high-severity flaws in Ivanti Avalanche that could lead to denial-of-service (DoS) attacks or remote code execution in version 6.4.4.