Full Report
Threat actors chained Ivanti CSA vulnerabilities for RCE, credential theft & webshell deployment
Analysis Summary
# Vulnerability: Chained Exploits in Ivanti Cloud Service Appliances Lead to RCE and Credential Theft
## CVE Details
- **CVE ID:** CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, CVE-2024-9380 (Multiple vulnerabilities chained)
- **CVSS Score:** Not explicitly stated, but exploitation involves RCE, suggesting High/Critical severity.
- **CWE:** Not specified, but includes Administrative Bypass, SQL Injection, and RCE.
## Affected Systems
- **Products:** Ivanti Cloud Service Appliances (CSA)
- **Versions:** All versions prior to the application of patches. Notably, **Ivanti CSA version 4.6 has reached end-of-life and receives no further security updates.**
- **Configurations:** Devices running vulnerable versions are susceptible.
## Vulnerability Description
Threat actors actively exploited combinations of vulnerabilities in Ivanti CSAs to gain initial access, execute remote code (RCE), steal credentials, and deploy webshells. The attacks leveraged two distinct chains:
1. **Chain 1:** CVE-2024-8963 (Administrative Bypass) chained with CVE-2024-8190 (RCE) and CVE-2024-9380 (RCE).
2. **Chain 2:** CVE-2024-8963 (Administrative Bypass) chained with CVE-2024-9379 (SQL Injection).
The chaining of these flaws significantly increased the danger and impact of the compromise.
## Exploitation
- **Status:** Actively exploited in the wild (since September 2024).
- **Complexity:** Implied to be manageable by threat actors, leveraging a known chaining pattern.
- **Attack Vector:** Network (as these are cloud service appliances).
## Impact
- **Confidentiality:** High (Credential theft observed).
- **Integrity:** High (Webshells deployed).
- **Availability:** Medium to High (Potential system compromise/disruption).
## Remediation
### Patches
- **Action:** Organizations must upgrade to the **latest supported version** of Ivanti CSA immediately. (Specific patched version numbers are not enumerated in the summary, only the necessity to upgrade).
### Workarounds
- **General Security Advice:** Implementing MFA, timely endpoint monitoring, and strengthening overall security posture is advised by CISA/FBI.
## Detection
- **Indicators of Compromise (IOCs):** Organizations should hunt for malicious activity on their networks using IOCs provided in the joint CISA/FBI advisory (details not within this summary).
- **Detection Methods and Tools:** Utilize provided detection methods from the advisory to hunt for evidence of webshells, unauthorized access, and RCE execution artifacts.
- **Credential Cleanup:** Treat any credentials stored on potentially compromised systems as exposed and subject to replacement/rotation.
## References
- Vendor advisories (Ivanti) and the CISA/FBI joint advisory.
- Relevant links (defanged): hxxps://www.infosecurity-magazine.com/news/cisa-fbi-warn-chained-attacks/
- hxxps://www.infosecurity-magazine.com/news/ivanti-three-csa-zerodays/