Ivanti on Tuesday rolled out fixes to address a number of critical security flaws in Endpoint Manager (EPM) that could be exploited to reach distant code execution less than selected circumstances.
6 of the 10 vulnerabilities – from CVE-2024-29822 by means of CVE-2024-29827 (CVSS scores: 9.6) – relate to SQL injection flaws that allow an unauthenticated attacker inside the exact same network to execute arbitrary code.
The remaining four bugs — CVE-2024-29828, CVE-2024-29829, CVE-2024-29830, and CVE-2024-29846 (CVSS scores: 8.4) — also tumble under the identical category with the only change becoming that they have to have the attacker to be authenticated.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
The shortcomings impact the Core server of Ivanti EPM variations 2022 SU5 and prior.
The company has also tackled a significant-severity security flaw in Avalanche edition 6.4.3.602 (CVE-2024-29848, CVSS score: 7.2) that could allow an attacker to achieve remote code execution by uploading a specifically crafted file.
In addition, patches have been delivered for five other significant-severity vulnerabilities: an SQL injection (CVE-2024-22059) and an unrestricted file upload bug (CVE-2024-22060) in Neurons for ITSM, a CRLF injection flaw in Join Safe (CVE-2023-38551), and two nearby privilege escalation issues in the Secure Access consumer for Windows (CVE-2023-38042) and Linux (CVE-2023-46810).
Ivanti stressed that there is no proof of the flaws getting exploited in the wild or that they had been “launched into our code advancement course of action maliciously” by means of a source chain attack.
The advancement comes as particulars emerged about a critical flaw in the open-source version of the Genie federated Major Knowledge orchestration and execution engine made by Netflix (CVE-2024-4701, CVSS rating: 9.9) that could guide to distant code execution.
Described as a route traversal vulnerability, the shortcoming could be exploited to generate an arbitrary file on the file procedure and execute arbitrary code. It impacts all versions of the application prior to 4.3.18.
The issue stems from the truth that Genie’s Rest API is made to take a user-equipped filename as aspect of the ask for, thus enabling a destructive actor to craft a filename this kind of that it can crack out of the default attachment storage path and write a file with any person-specified identify to a path specified by the actor.
“Any Genie OSS consumers managing their very own instance and relying on the filesystem to store file attachments submitted to the Genie application may possibly be impacted,” the maintainers stated in an advisory.
“Using this procedure, it is possible to create a file with any person-specified filename and file contents to any locale on the file system that the Java approach has generate obtain to – likely major to remote code execution (RCE).”
That stated, end users who do not keep the attachments locally on the underlying file program are not prone to this issue.
“If prosperous, this kind of an attack could idiot a web software into reading through and for that reason exposing the contents of data files outside of the doc root directory of the application or the web server, such as credentials for again-close devices, application code and info, and sensitive functioning system files,” Contrast Security researcher Joseph Beeton claimed.
Earlier this thirty day period, the U.S. governing administration warned of continued attempts by threat actors to exploit directory traversal flaws in software program to breach targets, contacting on developers to adopt a safe by style method for eliminating such security holes.
“Incorporating this risk mitigation at the outset – starting in the design and style period and continuing via solution launch and updates – minimizes both the stress of cybersecurity on shoppers and risk to the general public,” the authorities reported.
The disclosure also comes in the wake of a variety of vulnerabilities (CVE-2023-5389 and CVE-2023-5390) in Honeywell’s Management Edge Unit Functions Controller (UOC) that can outcome in unauthenticated distant code execution.
“An attacker previously on an OT network would use a destructive network packet to exploit this vulnerability and compromise the virtual controller,” Claroty stated. “This attack could be carried out remotely in get to modify documents, ensuing in total control of the controller and the execution of malicious code.”
Uncovered this post intriguing? Comply with us on Twitter and LinkedIn to browse much more distinctive content we write-up.
Some components of this report are sourced from:
thehackernews.com