February 9, 2024 at 04:36PM
Ivanti disclosed a new vulnerability in its gateways, confusing researchers who claim discovery. Ivanti, attributing the find to in-house review, faces dispute from watchTowr, who published evidence of prior notification. The high-severity flaw, affecting limited versions, requires patching and mitigation. Recent security issues prompt CISA and NCSC advisories. (Word count: 50)
Based on the provided meeting notes, it appears that there is a dispute between Ivanti and watchTowr regarding the discovery and disclosure of a vulnerability in Ivanti’s products.
Ivanti claims to have independently discovered the CVE-2024-22024 vulnerability during an internal review, while watchTowr asserts that its researchers were the first to bring the bug to Ivanti’s attention and feels that proper credit was not given.
Additionally, the severity of the vulnerability seems to be less impactful than the previous zero-day vulnerabilities, as it only affects a limited number of supported versions. There are also indications that applying the updated mitigation provided by Ivanti can offer protection against this vulnerability.
It is noteworthy that Ivanti has been facing security challenges recently, with a series of zero-day vulnerabilities being exploited and the subsequent need for patches and mitigations. This has led to urgent directives from CISA and the UK’s NCSC to address these vulnerabilities promptly.
In summary, the meeting notes highlight a disagreement over the discovery of a vulnerability, the specific details of the vulnerability, and the broader context of security challenges Ivanti has been experiencing.