Ivanti has produced security updates to handle 4 security flaws impacting Connect Safe and Policy Safe Gateways that could consequence in code execution and denial-of-services (DoS).
The record of flaws is as follows –
- CVE-2024-21894 (CVSS score: 8.2) – A heap overflow vulnerability in the IPSec component of Ivanti Join Protected (9.x, 22.x) and Ivanti Plan Safe will allow an unauthenticated destructive consumer to send specifically crafted requests in purchase to crash the support therefore triggering a DoS attack. In specific situations, this may perhaps direct to execution of arbitrary code.
- CVE-2024-22052 (CVSS score: 7.5) – A null pointer dereference vulnerability in IPSec part of Ivanti Join Secure (9.x, 22.x) and Ivanti Policy Protected permits an unauthenticated malicious consumer to send out specifically crafted requests in purchase to crash the services thus causing a DoS attack.
- CVE-2024-22053 (CVSS rating: 8.2) – A heap overflow vulnerability in the IPSec element of Ivanti Link Protected (9.x, 22.x) and Ivanti Policy Safe makes it possible for an unauthenticated destructive person to send out specifically crafted requests in order to crash the service thus creating a DoS attack or in specific disorders go through contents from memory.
- CVE-2024-22023 (CVSS score: 5.3) – An XML entity growth or XEE vulnerability in SAML part of Ivanti Join Secure (9.x, 22.x) and Ivanti Policy Safe enables an unauthenticated attacker to mail specifically crafted XML requests in buy to quickly cause source exhaustion thus ensuing in a minimal-time DoS.
The organization, which has been grappling with a steady stream of security flaws in its solutions due to the fact the commence of the calendar year, mentioned it truly is not mindful of “any buyers remaining exploited by these vulnerabilities at the time of disclosure.”
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
Late last thirty day period, Ivanti shipped patches for critical shortcoming in its Standalone Sentry product (CVE-2023-41724, CVSS score: 9.6) that could allow an unauthenticated risk actor to execute arbitrary commands on the underlying operating method.
It also fixed yet another critical flaw impacting on-premises versions of Neurons for ITSM (CVE-2023-46808, CVSS rating: 9.9) that an authenticated remote attacker could abuse in get to perform arbitrary file writes and get hold of code execution.
In an open letter printed on April 3, 2023, Ivanti’s CEO Jeff Abbott said the firm is using a “near glimpse” at its very own posture and processes to meet the needs of the existing danger landscape.
Abbott also claimed “occasions in the latest months have been humbling” and that it can be executing a plan that primarily improvements its security functioning product by adopting secure-by-design ideas, sharing data with clients with entire transparency, and rearchitecting its engineering, security, and vulnerability management techniques.
“We are intensifying our interior scanning, guide exploitation and testing capabilities, partaking trustworthy 3rd events to increase our inner investigation and facilitating accountable disclosure of vulnerabilities with enhanced incentives around an enhanced bug bounty plan,” Abbott mentioned.
Found this write-up interesting? Comply with us on Twitter and LinkedIn to go through more exceptional content we write-up.
Some elements of this short article are sourced from:
thehackernews.com