Ivanti Patches Heap Overflows & DoS Dangers: Secure Your Gateways from New Exploits!

Beware, cyber defenders! Ivanti scrambles to patch a quartet of pesky bugs threatening to turn your secure gateways into chaotic code carnivals. Heap overflows, null pointer hi-jinks – it’s a full-blown security soiree! Patch up or risk an uninvited crasher turning your system into a digital ghost town. #SecurityPatchParty

Hot Take:

Looks like Ivanti’s getting a crash course in cybersecurity patch management, only this time, it’s not a drill. The company’s serving up a smorgasbord of patches for vulnerabilities that sound more like a hacker’s wish list. Heap overflows, null pointers, and XML entity expansions, oh my! With CVE scores hitting the 8.2 mark, it’s like a buffet of bugs where the main course is code execution and the dessert is denial-of-service. Bon appétit, cyber defenders!

Key Points:

  • Four spicy new vulnerabilities have been uncovered in Ivanti Connect Secure and Policy Secure Gateways, with the potential for code execution and DoS attacks – hackers are drooling.
  • The most severe flaw rocks a CVSS score of 8.2 and involves a heap overflow that could let unauthenticated party crashers run arbitrary code.
  • Another bug, also with an 8.2 CVSS score, could let attackers read memory contents, essentially turning Ivanti’s security gateway into an open book.
  • There’s a “lighter” vulnerability (CVSS 5.3) that allows an attacker to exhaust resources with a fancy XML request, causing a DoS that’s the cybersecurity equivalent of a food coma.
  • Ivanti’s CEO pens an open letter promising a security glow-up with “secure-by-design” principles, transparency, and a buffed-up bug bounty program. It’s their “New Year, New Me” pledge in April.
Cve id: CVE-2024-22053
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 04/04/2024
Cve description: A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack or in certain conditions read contents from memory.

Cve id: CVE-2024-22052
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 04/04/2024
Cve description: A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack

Cve id: CVE-2023-46808
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 03/31/2024
Cve description: An file upload vulnerability in Ivanti ITSM before 2023.4, allows an authenticated remote user to perform file writes to the server. Successful exploitation may lead to execution of commands in the context of non-root user.

Cve id: CVE-2024-22023
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 04/04/2024
Cve description: An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in-order-to temporarily cause resource exhaustion thereby resulting in a limited-time DoS.

Cve id: CVE-2023-41724
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 03/31/2024
Cve description: A command injection vulnerability in Ivanti Sentry prior to 9.19.0 allows unauthenticated threat actor to execute arbitrary commands on the underlying operating system of the appliance within the same physical or logical network.

Cve id: CVE-2024-21894
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 04/04/2024
Cve description: A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack. In certain conditions this may lead to execution of arbitrary code

Need to know more?

What's Cooking in Ivanti's Kitchen?

Just when you thought it was safe to connect securely, Ivanti's dishing out some hotfixes for a quartet of vulnerabilities that could give hackers the keys to the kingdom. With names that sound like they were pulled from a cyberpunk novel, these flaws could let baddies do everything from crashing the party (DoS-style) to executing arbitrary code - the cyber equivalent of cutting the line and ordering off-menu.

Heap of Trouble

Our main course features not one, but two heap overflow vulnerabilities with a side of potential code execution. It's like finding out your two-for-one deal comes with a free side of food poisoning. And for an encore, there's a null pointer dereference bug that's the digital equivalent of a "slippery when wet" sign in the world of memory management.

XML Entities Gone Wild

For those with a taste for XML, there's a vulnerability that could lead to a denial-of-service that's so exclusive, it's like getting VIP access to a club that's on fire. This bug's all about crafting that special XML request that's like ordering a drink so complicated, the server just gives up and goes home.

A Heartfelt Letter from the CEO

In what could be mistaken for a cybersecurity version of a New Year's resolution, Ivanti's CEO Jeff Abbott is making promises to buff up the company's digital defenses with a heartfelt open letter. He's talking a big game about "secure-by-design" principles and transparency, which in corporate speak, is like saying, "We're going to start locking the doors and maybe not leave the keys under the mat."

The Promise of a Bug Bounty Buffet

Abbott's letter also hints at a supersized bug bounty program with "increased incentives." For the uninitiated, that's corporate for, "We'll pay you more not to tell everyone how easy it was to break in." It's like offering a reward for finding the secret ingredient in grandma's recipe, only the secret ingredient is a glaring security hole.

In the grand scheme of things, Ivanti's taking some lumps but seems to be learning from the experience. They're stirring up their security strategy with a dash of humility and a pinch of proactive patching. Let's just hope their "secure-by-design" recipe is more secret sauce and less playing with fire. Cybersecurity enthusiasts and IT admins, grab your forks – it's time to dig in and patch up!

Tags: CVE-2024-21894, CVE-2024-22023, CVE-2024-22052, CVE-2024-22053, denial of service, secure-by-design principles, vulnerability management