In disclosing yet one more vulnerability in its Join Safe, Coverage Safe, and ZTA gateways, Ivanti has confused the third-party researchers who found it.
Researchers at watchTowr blogged immediately about not being credited with the invention of CVE-2024-22024 – the newest in a sequence of vulnerabilities affecting Ivanti gateways as the seller continues to develop patches for supported variations.
The high-severity authentication bypass flaw solely impacts a restricted variety of supported variations, not like the zero-days that got here earlier than it, and, in line with Ivanti, it was found in-house.
“As part of the ongoing investigation, we discovered a new vulnerability as part of our internal review and testing of our code, which we are reporting as CVE-2024-22024,” an Ivanti article reads.
Nevertheless, watchTowr claims its researchers have been the primary to carry Ivanti’s consideration to the bug on February 2, publishing screenshots of the emails exchanged between it and Ivanti as proof.
Commenting on the above excerpt from Ivanti’s advisory, watchTowr mentioned: “Right this moment, Friday February 9, 2024, we’re happy to see that Ivanti has launched an advisory for this vulnerability.
“We did find this comment a little curious, but perhaps we have a new set of colleagues?” It went on to say it was “surprised” about seeing the lacking credit score, however assumes it was finished with out malice.
The vulnerability itself, to the delight of admins throughout the land, isn’t as critical because the others that have been disclosed over the previous few weeks.
Along with fewer variations being susceptible, those who utilized the up to date mitigation supplied on January 31 are mechanically protected.
Those that utilized the patch to their gadgets when it grew to become out there and accomplished a manufacturing unit reset of their system(s) are additionally protected. There isn’t any proof to counsel it’s been actively exploited as a zero-day, Ivanti mentioned, though that’s been disputed.
The restricted variations impacted by the vulnerability are:
Ivanti Join Safe (model 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1)
Ivanti Coverage Safe (model 22.5R1.1)
ZTA (model 22.6R1.3)
A fast recap
Just like Fortinet recentlyIvanti’s been having a troublesome time with safety of late.
In mid-January got here the first reports of two zero-days in Ivanti’s merchandise being exploited by attackers that have been both pro-China or state-sponsored by Beijing.
Since then, Ivanti has continued to work on growing patches in accordance with its staggered schedule, which is to say it’s growing patches for the variations with probably the most customers, and dealing down from there. Within the meantime, it launched a mitigation to maintain folks secure whereas they watch for patches.
This patching schedule was presupposed to conclude on February 19, however in asserting the primary patch on the finish of January, Ivanti mentioned this has been delayed.
What it additionally introduced alongside the primary patch, and it might be humorous if it weren’t so critical, was that in fixing the primary two zero-days, it found another two vulnerabilitiescertainly one of which was additionally exploited as a zero-day.
Higher but, Ivanti additionally mentioned attackers had devised workarounds for the mitigation it supplied, so it was pressured to make a brand new one and that is nonetheless working to the very best of our data.
In order that’s 4 massive safety holes within the area of some weeks… immediately’s takes it to 5.
The zero-days have been beneath “mass exploitation” standing within dayssince proof of idea (PoC) code was printed earlier than Ivanti might develop patches. It was suspected on the time that 1,700 gadgets had backdoors implanted in them.
Underlining the severity of the state of affairs, CISA issued its second emergency directive final week instructing federal companies to disconnect the merchandise totally. This adopted an preliminary advisory including the primary two zero-days to its “must-patch” listing the identical day Ivanti disclosed them.
The UK’s NCSC was additionally prompted into motion immediately, publishing its personal advisory urging instant patches for all 5 Ivanti vulnerabilities. ®
Unique Submit URL: https://go.theregister.com/feed/www.theregister.com/2024/02/09/ivanti_discloses_fifth_ics_vulnerability/
Author: CISO2CISO Editor 2
Date: 2024-02-09 20:46:09
