Three security advisories address 49 vulnerabilities in Ivanti Avalanche, Ivanti Endpoint Manager (EPM), Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Security Access Client

Threat ID:CC-4575

Threat Severity:Medium

Published:14 November 2024 9:35 AM

Summary

Affected platforms

The following platforms are known to be affected:

Versions: All prior to 6.4.6

Ivanti Avalanche

Versions: all prior to 2024 November Security Update, all prior to 2022 SU6 November Security Update

Ivanti Endpoint Manager

Versions: all prior to 22.7R2.3

Ivanti Connect Secure

Versions: all prior to 22.7R1.2

Ivanti Policy Secure

Versions: all prior to 22.7R4

Ivanti Secure Access (formerly known as Pulse Secure Desktop Client)Ivanti Secure Access Client

Threat details

Introduction

Ivanti has released the following three security advisories addressing vulnerabilities in multiple products.

Security Advisory Ivanti Avalanche (Multiple CVEs) - Q4 2024 Release
Ivanti Avalanche is a mobile device management solution and is used to remotely manage, deploy software, and schedule updates for enterprise mobile devices. Successful exploitation of five of the vulnerabilities could lead to denial-of-service (DoS) and one vulnerability could lead to information disclosure. All are rated with a CVSSv3 score of 7.5. Ivanti reports there is no known exploitation of these vulnerabilities.

Security Advisory EPM November 2024 for EPM 2024 and EPM 2022 SU6
Ivanti EPM is an all-in-one solution for managing device endpoints within a network. This advisory contains 18 CVEs, including one critical SQL injection vulnerability with a CVSSv3 score of 9.8 that could allow a remote unauthenticated attacker to achieve remote code execution (RCE). The other 17 vulnerabilities are either SQL injection or path traversal vulnerabilities with CVSSv3 scores ranging from 7.2 to 8.8 that could allow an attacker to execute code. Ivanti reports there is no known exploitation of these vulnerabilities.

Security Advisory Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), Ivanti Secure Access Client (ISAC) (Multiple CVEs)
This advisory includes 25 vulnerabilities affecting Ivanti Connect Secure and Policy Secure, which are SSL VPN solutions used for remote and mobile access to corporate resources. Eight critical command or argument injection vulnerabilities (all with CVSSv3 scores of 9.1) could lead to remote code execution (RCE). Other high and medium severity security impact vulnerabilities could be exploited by attackers, which could allow DoS, RCE, modification of configuration files, arbitrary folder creation, and privilege escalation. Ivanti reports there is no known exploitation of these vulnerabilities.

Remediation advice

Affected organisations are strongly encouraged to review Ivanti's November Security Update blog and the security advisories below, applying any relevant updates.

Remediation steps


Patch	Security Advisory Ivanti Avalanche (Multiple CVEs) - Q4 2024 Release https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-Multiple-CVEs-Q4-2024-Release
Patch	Security Advisory EPM November 2024 for EPM 2024 and EPM 2022 SU6 https://forums.ivanti.com/s/article/Security-Advisory-EPM-November-2024-for-EPM-2024-and-EPM-2022
Patch	Security Advisory Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), Ivanti Secure Access Client (ISAC) (Multiple CVEs) https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs

Definitive source of threat updates

https://www.ivanti.com/blog/november-2024-security-update

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-Multiple-CVEs-Q4-2024-Release

https://forums.ivanti.com/s/article/Security-Advisory-EPM-November-2024-for-EPM-2024-and-EPM-2022

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs

Last edited: 14 November 2024 9:35 am