CISA’s Warning: Ivanti CSA Flaw Under Active Attack
On September 10, 2024, Ivanti released a security advisory concerning a zero-day vulnerability in the Cloud Service Appliance (CSA) product. Initially, the flaw appeared to be of little interest, as Ivanti stated that exploitation required authentication. However, by September 13, the vulnerability had been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, drawing heightened attention from Horizon3 specialists.
The command injection vulnerability CVE-2024-8190 (CVSS score: 7.2) affects the Cloud Service Appliance operating system versions 4.6 Patch 518 and earlier. The flaw can lead to unauthorized access to the device. In configurations where the device is connected to two networks, with the internal interface on ETH-0, the risk of exploitation is significantly reduced.
Exploiting the vulnerability requires administrator privileges on the device. Experts noted that the flaw may inadvertently be exposed to external threats due to the misconfiguration of the device’s network interfaces.
In reviewing the security updates, researchers discovered that the Cloud Service Appliance utilizes a PHP interface, and the patch includes updates to several PHP files. A key finding was the discovery of the handleDateTimeSubmit function, which interacts with a vulnerable parameter-handling function for TIMEZONE. The original version lacked input validation, allowing attackers to pass arbitrary commands for execution.
Exploit development revealed that the vulnerable function resides in the /datetime.php script, accessible through the “internal” interface with mandatory authentication. The vulnerability can be exploited by providing a valid username and password, confirming the risk for users who do not follow configuration recommendations.
Ivanti recommended configuring ETH-0 as an internal interface, and tests confirmed that access through external interfaces (ETH-1) results in a 403 Forbidden error, protecting the device from external attacks. However, users who accidentally misconfigured the interfaces or failed to set them up correctly risk exposing the console to the internet.
Additionally, when exposed to the internet, the device does not limit login attempts, increasing the likelihood of a successful attack if a weak password is used. Although the device defaults to the admin credentials, the system mandates a password change upon first login.
Experts speculate that compromised devices were either never properly configured or had weak passwords, which contributed to the successful exploitation of the vulnerability. Indicators of compromise include specific log entries showing failed login attempts and successful authentications. Users are advised to check logs for such entries and promptly update their devices to mitigate the vulnerability.
