CVE-2024-8190 – OS Command Injection in Ivanti CSA
September 24, 2024
A high severity OS command injection vulnerability, CVE-2024-8190, has been found in Ivanti Cloud Services Appliance (CSA) versions 4.6 Patch 518 and earlier. This flaw allows attackers with admin access to remotely execute malicious commands, potentially taking full control of the system.
Ivanti has already released updates, but this command injection vulnerability is actively exploited in the wild, making immediate action critical.
CVE-2024-8190 – Risk Analysis
Severity: High
CVSSv3.0 : Base Score: 7.2 High
Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Exploit available in public: Yes.
Exploit complexity: Low
CVE-2024-8190 allows attackers to inject and execute arbitrary commands as an administrator once they gain access to the admin interface. With elevated privileges, attackers can compromise the entire system, running malicious operations undetected.
Despite requiring admin credentials to exploit, weak configurations and poor password practices make some systems easy targets.
While Ivanti recommends dual-homed configurations, which reduce exposure, users who misconfigure network interfaces or expose the admin console to the internet face significant risk. The absence of rate-limiting on login attempts also worsens this, allowing brute-force attacks to break into systems using weak passwords easily.
Attackers are actively exploiting CVE-2024-8190, focusing on systems that are vulnerable to this threat. The end-of-life status of Ivanti CSA 4.6 further amplifies the urgency—version 5.0 is now the recommended version for ongoing support and security.
Once exploited, the attacker can run any command with admin-level privileges, allowing complete control over the affected CSA. Such exploitation can lead to unauthorized access, data breaches, and overall system compromise. Check out the impacts of remote code execution (RCE) here.
Security Patch and Mitigation Recommendations
Ivanti has released a security patch addressing the issue, but the best defence is upgrading to CSA 5.0, which is not affected by this vulnerability. For those unable to immediately upgrade, Ivanti advises installing Patch 519 for version 4.6 and reviewing systems for any signs of malicious activity, such as unexpected admin accounts.
Here are essential actions to protect your system from CVE-2024-8190:
- Upgrade Immediately: If you’re using Ivanti CSA 4.6, upgrade to version 5.0 for continued security and support.
- Strengthen Admin Access: Restrict admin access to a few trusted users and enforce strong, unique passwords.
- Network Segmentation: Isolate your CSA from critical resources to limit damage in case of a breach.
- Enable Alerts: Monitor system logs for unusual activities and set up alerts for suspicious behavior.
- Regular Security Audits: Conduct routine security assessments to detect vulnerabilities early and apply patches swiftly.
AppTrana WAAP Coverage for Remote Code Execution
AppTrana WAAP provides out of box coverage for this CVE and our customers are protected from this vulnerability from day 0.
When simulating the PoC for CVE-2024-8190, AppTrana WAAP blocked the attack, as shown in the screenshots.
Exploit command- CVE-2024-8190.py [-h] -u URL –username USERNAME –password PASSWORD -c COMMAND
WAAP intercepted the malicious Burp Suite requests and returned a 406-status code, stopping unauthorized commands and ensuring system protection against this vulnerability.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.
