Ivanti Rushes Patches for 4 New Flaw in Connect Secure and Policy Secure

Ivanti has produced security updates to handle 4 security flaws impacting Connect Safe and Policy Safe Gateways that could consequence in code execution and denial-of-services (DoS).

The record of flaws is as follows –

• CVE-2024-21894 (CVSS score: 8.2) – A heap overflow vulnerability in the IPSec component of Ivanti Join Protected (9.x, 22.x) and Ivanti Plan Safe will allow an unauthenticated destructive consumer to send specifically crafted requests in purchase to crash the support therefore triggering a DoS attack. In specific situations, this may perhaps direct to execution of arbitrary code.

• CVE-2024-22052 (CVSS score: 7.5) – A null pointer dereference vulnerability in IPSec part of Ivanti Join Secure (9.x, 22.x) and Ivanti Policy Protected permits an unauthenticated malicious consumer to send out specifically crafted requests in purchase to crash the services thus causing a DoS attack.

• CVE-2024-22053 (CVSS rating: 8.2) – A heap overflow vulnerability in the IPSec element of Ivanti Link Protected (9.x, 22.x) and Ivanti Policy Safe makes it possible for an unauthenticated destructive person to send out specifically crafted requests in order to crash the service thus creating a DoS attack or in specific disorders go through contents from memory.

• CVE-2024-22023 (CVSS score: 5.3) – An XML entity growth or XEE vulnerability in SAML part of Ivanti Join Secure (9.x, 22.x) and Ivanti Policy Safe enables an unauthenticated attacker to mail specifically crafted XML requests in buy to quickly cause source exhaustion thus ensuing in a minimal-time DoS.

The organization, which has been grappling with a steady stream of security flaws in its solutions due to the fact the commence of the calendar year, mentioned it truly is not mindful of “any buyers remaining exploited by these vulnerabilities at the time of disclosure.”

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

Late last thirty day period, Ivanti shipped patches for critical shortcoming in its Standalone Sentry product (CVE-2023-41724, CVSS score: 9.6) that could allow an unauthenticated risk actor to execute arbitrary commands on the underlying operating method.

It also fixed yet another critical flaw impacting on-premises versions of Neurons for ITSM (CVE-2023-46808, CVSS rating: 9.9) that an authenticated remote attacker could abuse in get to perform arbitrary file writes and get hold of code execution.

In an open letter printed on April 3, 2023, Ivanti’s CEO Jeff Abbott said the firm is using a “near glimpse” at its very own posture and processes to meet the needs of the existing danger landscape.

Abbott also claimed “occasions in the latest months have been humbling” and that it can be executing a plan that primarily improvements its security functioning product by adopting secure-by-design ideas, sharing data with clients with entire transparency, and rearchitecting its engineering, security, and vulnerability management techniques.

“We are intensifying our interior scanning, guide exploitation and testing capabilities, partaking trustworthy 3rd events to increase our inner investigation and facilitating accountable disclosure of vulnerabilities with enhanced incentives around an enhanced bug bounty plan,” Abbott mentioned.

Found this write-up interesting? Comply with us on Twitter  and LinkedIn to go through more exceptional content we write-up.