Ivanti Rushes Patches for 4 New Flaw in Connect Secure and Policy Secure

We Keep you Connected

Ivanti Rushes Patches for 4 New Flaw in Connect Secure and Policy Secure

Apr 04, 2024NewsroomCommunity Safety / Vulnerability

Ivanti

Ivanti has excepted safety updates to deal with 4 safety flaws impacting Fasten Hold and Coverage Hold Gateways that might lead to code execution and denial-of-service (DoS).

The checklist of flaws is as follows –

  • CVE-2024-21894 (CVSS rating: 8.2) – A heap inundation vulnerability within the IPSec property of Ivanti Fasten Hold (9.x, 22.x) and Ivanti Coverage Hold permits an unauthenticated bad consumer to ship specifically crafted requests to bring to strike the provider thereby inflicting a DoS assault. In sure situations, this will govern to execution of arbitrary code.
  • CVE-2024-22052 (CVSS rating: 7.5) – A zero pointer dereference vulnerability in IPSec property of Ivanti Fasten Hold (9.x, 22.x) and Ivanti Coverage Hold permits an unauthenticated bad consumer to ship specifically crafted requests to bring to strike the provider thereby inflicting a DoS assault.
  • CVE-2024-22053 (CVSS rating: 8.2) – A heap inundation vulnerability within the IPSec property of Ivanti Fasten Hold (9.x, 22.x) and Ivanti Coverage Hold permits an unauthenticated bad consumer to ship specifically crafted requests to bring to strike the provider thereby inflicting a DoS assault or in sure situations learn contents from reminiscence.
  • CVE-2024-22023 (CVSS rating: 5.3) – An XML entity enlargement or XEE vulnerability in SAML property of Ivanti Fasten Hold (9.x, 22.x) and Ivanti Coverage Hold permits an unauthenticated attacker to ship specifically crafted XML requests to bring to briefly motive useful resource exhaustion thereby for the purpose of a limited-time DoS.

The corporate, which has been grappling with a gentle tide of safety flaws in its merchandise for the reason that get started of the while, said it’s now not acutely aware of “any customers being exploited by these vulnerabilities at the time of disclosure.”

Cybersecurity

Overdue closing hour, Ivanti shipped patches for important shortcoming in its Standalone Sentry product (CVE-2023-41724, CVSS rating: 9.6) that might allow an unauthenticated warning actor to blast arbitrary instructions at the underlying running machine.

It additionally resolved any other important flaw impacting on-premises variations of Neurons for ITSM (CVE-2023-46808, CVSS rating: 9.9) that an authenticated far off attacker may abuse to bring to accomplish arbitrary record writes and acquire code execution.

In an visible letter revealed on April 3, 2023, Ivanti’s CEO Jeff Abbott said the corporate is taking a “close look” at its personal posture and processes to fulfill the necessities of the tide warning ground.

Abbott additionally stated “events in recent months have been humbling” and that it’s executing a plan that necessarily adjustments its safety running fashion by means of adopting secure-by-design principles, sharing data with consumers with entire transparency, and rearchitecting its engineering, safety, and vulnerability control practices.

“We are intensifying our internal scanning, manual exploitation and testing capabilities, engaging trusted third parties to augment our internal research and facilitating responsible disclosure of vulnerabilities with increased incentives around an enhanced bug bounty program,” Abbott stated.

 

Discovered this newsletter attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.

The Hacker Information

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE