Skip to main content

Ivanti Releases Security Updates for Multiple Products

Updates address critical vulnerabilities in Cloud Services Application, Connect Secure, and Policy Secure

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Updates address critical vulnerabilities in Cloud Services Application, Connect Secure, and Policy Secure


Threat details

Introduction

Ivanti has released security advisories addressing vulnerabilities in Cloud Services Application, Connect Secure, and Policy Secure. 

Ivanti Cloud Services Applicance (CSA) is an appliance that provides secure communication and functionality over the internet. Ivanti Connect Secure and Policy Secure are SSL VPN solutions used for remote and mobile access to corporate resources. 


Vulnerability details

Security Advisory Ivanti Cloud Services Application (CSA)

  • CVE-2024-11639 is an authentication bypass vulnerability in CSA with a CVSSv3 score of 10.0, which could allow a remote unauthenticated attacker to gain administrative access.
  • CVE-2024-11772 is a command injection vulnerability in CSA with a CVSSv3 score of 9.1, which could allow a remote authenticated attacker with admin privileges to achieve remote code execution (RCE).
  • CVE-2024-11773 is an SQL injection vulnerability in CSA with a CVSSv3 score of 9.1, which could allow a remote authenticated attacker with admin privileges to run arbitrary SQL statements. 

December 2024 Security Advisory Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) 

  • CVE-2024-11633 is an argument injection vulnerability in Connect Secure with a CVSSv3 score of 9.1, which could allow a remote authenticated attacker with admin privileges to achieve RCE.
  • CVE-2024-11634 is a command injection vulnerability in Connect Secure and Policy Secure with a CVSSv3 score of 9.1, which could allow a remote authenticated attacker with admin privileges to achieve RCE.

Remediation advice

Affected organisations are strongly encouraged to review Ivanti's December Security Update blog and the security advisories below, applying any relevant updates.


Remediation steps

Type Step
Patch

Security Advisory Ivanti Cloud Services Application (CSA) (CVE-2024-11639, CVE-2024-11772, CVE-2024-11773)


https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-Services-Application-CSA-CVE-2024-11639-CVE-2024-11772-CVE-2024-11773?language=en_US
Patch

December 2024 Security Advisory Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) (Multiple CVEs)


https://forums.ivanti.com/s/article/December-2024-Security-Advisory-Ivanti-Connect-Secure-ICS-and-Ivanti-Policy-Secure-IPS-Multiple-CVEs?language=en_US


Last edited: 11 December 2024 2:59 pm