Customers of Ivanti have been notified of yet another severe security flaw that could enable attackers to get around authentication in its Connect Secure, Policy Safe, and ZTA gateway devices.
The CVSS scoring system gives the problem, which is being tracked as CVE-2024-22024, an 8.3 out of 10.
An attacker can access some restricted resources without authentication thanks to an “XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure ( 9. x, 22.x ), and ZTA gateways,” according to the company’s advisory.
As part of its ongoing investigation into numerous security flaws in the products that have come to light since the start of the year, such as CVE- 2023-46805, CCE-2024-21887, and CPE- 2124-21888, the company claimed to have found the defect during an internal review.
The following product versions are impacted by CVE-2024-22024:-
- Ivanti Connect Secure (versions 9.1R14.4, 9R17.2, 9.2R18.3, 22.4R2.2, and 22.5R1.1 )
- Version 22.5R1.1 of Ivanti PolicySecure
- ZTA (version 22.6R1.3 )
Policy Secure versions 9.1R17.3, 9.2R18.4, 22.5R1.2, and 22.6R2.2, as well as ZTA versions 22. 5R1.6, 21.6R1. 5, and 26. 2R1.7 all have bug patches available.
Although Ivanti claimed there is no proof that the flaw has been actively exploited, users must act quickly to apply the most recent fixes as CVE-2023-46805, 224-21887, and C24-2187 are all being widely abused.
Update
The problem is caused by an incorrect fix for CVE- 2024- 21893 that was included in the most recent version of the software, according to cybersecurity company watchTowr, which reported it was disclosed to Ivanti in early February 2020.
DOS, Local File Read, and SSRF are just a few of the impacts that XXE introduces. The impact of the SSRF is obviously dependent on the protocols that can be used.