Ivanti has released patches for two vulnerabilities in its Neurons for IT Service Management (ITSM) platform, with potential risks ranging from unauthorized information disclosure to full system compromise.
The first vulnerability tracked as CVE-2024-7569, with a CVSS score of 9.6, allows an unauthenticated attacker to access the OIDC client secret through exposed debug information. Exploiting this vulnerability could enable an attacker to gain unauthorized access to sensitive information, potentially leading to further exploitation within the ITSM environment.
For organizations that rely on OIDC authentication within their ITSM systems its critical. The exposure of the client secret could compromise the integrity of the entire authentication process, allowing attackers to impersonate legitimate users or services.
The second vulnerability tracked as CVE-2024-7570, with a CVSS score of 8.3, stems from improper certificate validation within Ivanti Neurons for ITSM and enables a remote attacker in a Man-in-the-Middle (MITM) position to craft a malicious token that could grant them access to the ITSM system as any user. The implications of this vulnerability are severe, as it could lead to unauthorized access, data manipulation, or even the disruption of critical IT services.
Ivanti has already applied patches to all cloud-based Ivanti Neurons for ITSM environments as of August 4, ensuring that cloud customers are protected from these vulnerabilities. However, on-premises customers must act quickly to secure their systems.
Ivanti strongly recommends that all on-premises customers using versions 2023.4 and earlier apply the available patches immediately to mitigate the risks associated with these vulnerabilities and has not observed any exploitation of these vulnerabilities in the wild.
