September 20, 2024 at 11:37AM
The US Cybersecurity and Infrastructure Security Agency (CISA) has added the latest Ivanti weakness, a path traversal flaw, to its Known Exploited Vulnerability catalog. This came after a string of high-profile path traversal bugs affecting IT vendors. Ivanti has released a fix for the critical severity bug affecting its Cloud Services Appliance. CISA continues to push for secure-by-design development practices among IT vendors.
Based on the meeting notes, I have identified the following key takeaways:
1. CISA has added the latest Ivanti weakness, CVE-2024-8963, to its Known Exploited Vulnerability (KEV) catalog. The vulnerability is a path traversal bug affecting Ivanti Cloud Services Appliance (CSA) 4.6. It carries a critical severity rating of 9.4.
2. The fix for CVE-2024-8963 is available and should be applied at the earliest possible opportunity. It will be the last patch backported to version 4.6, with Ivanti recommending an upgrade to version 5.0 for ongoing security updates.
3. Attackers can abuse the CVE-2024-8963 vulnerability to access restricted functionality, and it can be chained with a separate command injection flaw (CVE-2024-8190) to execute commands with admin privileges.
4. Ivanti recommends that customers review the CSA for modified or newly added administrative users and look for signs of compromise in broker logs and EDR alerts. Customers are encouraged to rebuild the CSA with patch 519 or upgrade to version 5.0 if signs of compromise are found.
5. CISA’s boss, Jen Easterly, has emphasized the importance of secure-by-design (SBD) development practices and has consistently pressured IT vendors to commit to SBD.
6. Ivanti’s CEO, Jeff Abbott, has announced the adoption of an SBD approach to development and improvements to engineering and security practices following vulnerabilities in Connect Secure and Policy Secure.
7. Volexity experts have warned that failure to apply mitigation for vulnerabilities promptly could lead to exploitation of an organization’s VPN.
8. CISA has launched its secure-by-design pledge, allowing vendors to publicly commit to addressing common weaknesses in products.
These takeaways provide a clear summary of the important points discussed in the meeting notes. Let me know if you need any further information or if there are additional details you would like to discuss.