Ivanti has released trove of security updates as part of November 2024 security advisory
Ivanti Endpoint Manager
The most critical vulnerability, CVE-2024-50330 with a CVSS score of 9.8, is a SQL injection flaw that could allow a remote unauthenticated attacker to achieve RCE.
Path Traversal Vulnerabilities
CVE-2024-50323, CVE-2024-34787, CVE-2024-50322 all has a CVSS score of 7.8 that could allow a local unauthenticated attacker to achieve code execution.
CVE-2024-50329 with a CVSS score of 8.8 that could allow a remote unauthenticated attacker to achieve RCE.
Remote code execution Vulnerabilities
SQL injection vulnerabilities that are tracked as CVE-2024-32839, CVE-2024-32841, CVE-2024-32844, CVE-2024-32847, CVE-2024-34780, CVE-2024-37376, CVE-2024-34781, CVE-2024-34782, CVE-2024-34784, CVE-2024-50324, CVE-2024-50326, CVE-2024-50327, CVE-2024-50328. All has a CVSS score of 7.2, that could allow a remote authenticated attacker with admin privileges to achieve RCE.
These vulnerabilities have been addressed in the November Security Update for both the 2024 and 2022 SU6 versions of Endpoint Manager. Customers are strongly advised to update their products to the latest versions as soon as possible to mitigate the risk of potential attacks. No active exploitation is noted.
Connect Secure, Policy Secure, and Secure Access Client products
The most critical vulnerabilities, CVE-2024-38655, CVE-2024-38656, CVE-2024-39710, CVE-2024-39711, CVE-2024-39712, CVE-2024-11007, CVE-2024-11006, and CVE-2024-11005 all tracked with a score of CVSS 9.1, are critical argument injection and command injection flaws that could allow a remote authenticated attacker with admin privileges to achieve RCE.
CVE-2024-9420, CVE-2024-47906 all with a CVSS score of 8.8, A use-after-free vulnerability that could allow a remote authenticated attacker to achieve RCE, and excessive binary privileges that could allow a local authenticated attacker to escalate privileges.
CVE-2024-11004 all with a CVSS score of 8.4, Reflected cross-site scripting vulnerability that could allow a remote unauthenticated attacker to obtain admin privileges.
CVE-2024-39709 with a CVSS score of 7.8, Incorrect file permissions that could allow a local authenticated attacker to escalate privileges.
CVE-2024-37398, CVE-2024-7571 all with a CVSS score of7.8, Insufficient validation and incorrect permissions that could allow a local authenticated attacker to escalate privileges.
CVE-2024-37400, CVE-2024-47907, CVE-2024-8495, CVE-2024-38649 all with a CVSS score of 7.5, Out-of-bounds read, null pointer dereferences, and out-of-bounds write vulnerabilities that could allow a remote unauthenticated attacker to trigger an infinite loop or cause a DoS.
CVE-2024-9842 with a CVSS score of 7.3, Incorrect permissions that could allow a local authenticated attacker to create arbitrary folders.
CVE-2024-8539, CVE-2024-29211 all with a CVSS score 7.1, Improper authorization and a race condition that could allow a local authenticated attacker to modify sensitive configuration files.
CVE-2024-9843 with a CVSS score of 5.0, A buffer over-read vulnerability that could allow a local unauthenticated attacker to cause a DoS.
CVE-2024-47905, CVE-2024-47909 all with a CVSS score of 4.9, Stack-based buffer overflow vulnerabilities that could allow a remote authenticated attacker with admin privileges to cause a denial of service.
CVE-2024-38654 all with a CVSS score of 4.4, Improper bounds checking that could allow a local authenticated attacker with admin privileges to cause a DoS.
Ivanti has addressed these vulnerabilities in the following versions:
- Ivanti Connect Secure 22.7R2.3
- Ivanti Policy Secure 22.7R1.2
- Ivanti Secure Access Client 22.7R4
Customers are strongly advised to update their products to the latest versions as soon as possible to mitigate the risk of potential attacks. For more details refer to the advisory.
