forums.ivanti.com Open in urlscan Pro
2606:4700::6812:6ff1  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Loading
×Sorry to interrupt
CSS Error

Refresh

Skip to Main Content

Community
 * Home
 * All Products
 * Forum Groups
   
 * Contact Support
 * Getting Started
   
 * Advantage Learning
 * Ivanti Ideas
 * Product End of Life
 * Site Resources
 * More
   


Expand search
SearchLoading



Close search

Log inAccount Management

Ask a Question


Log in for access to this feature



December 2024 Security Advisory Ivanti Connect Secure (ICS) and Ivanti Policy
Secure (IPS) (Multiple CVEs)
Primary Product
Connect-Secure
Created Date
Dec 10, 2024 5:55:41 PM
Last Modified Date
Dec 10, 2024 5:55:41 PM

Ivanti has released updates for Ivanti Connect Secure and Ivanti Policy Secure
which addresses high and critical severity vulnerabilities.

We are not aware of any customers being exploited by these vulnerabilities at
the time of disclosure.

 

Vulnerability Details:

Important: Unless the CVE description specifies otherwise, the CVEs apply to the
9.1Rx line of code. The listed critical vulnerabilities were not candidates for
receiving a backported fix to the 9.x version of the software as the risk of
these vulnerabilities are greatly reduced if customers have the Management
interface access restricted to an internal network, which is Ivanti’s
recommendation and industry best practice 

 

CVE NumberDescriptionCVSS Score (Severity)CVSS VectorCWEImpacted
Product(s)CVE-2024-37377A heap-based buffer overflow in IPsec of Ivanti Connect
Secure before version 22.7R2.3 allows a remote unauthenticated attacker to cause
a denial of service.7.5
(High)CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HCWE-122Connect
SecureCVE-2024-9844Insufficient server-side controls in Secure Application
Manager of Ivanti Connect Secure before version 22.7R2.4 allows a remote
authenticated attacker to bypass restrictions.7.1
(High)CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:NCWE-602

Connect Secure

CVE-2024-37401An out-of-bounds read in IPsec of Ivanti Connect Secure before
version 22.7R2.1 allows a remote unauthenticated attacker to cause a denial of
service.7.5 (High)CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HCWE-125

Connect Secure

CVE-2024-11633Argument injection in Ivanti Connect Secure before version
22.7R2.4 allows a remote authenticated attacker with admin privileges to achieve
remote code execution9.1
(Critical)CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HCWE-88

Connect Secure

CVE-2024-11634

Command injection in Ivanti Connect Secure before version 22.7R2.3 and Ivanti
Policy Secure before version 22.7R1.2 allows a remote authenticated attacker
with admin privileges to achieve remote code execution. (Not Applicable to the
9.1Rx code train).9.1
(Critical)CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HCWE-77Connect Secure &
Policy Secure

 

Affected Versions

Product NameAffected Version(s)Resolved Version(s)Patch AvailabilityIvanti
Connect Secure (ICS)22.7R2.3 and prior22.7R2.4Ivanti PortalIvanti Policy Secure
(IPS)22.7R1.1 and prior22.7R1.2Ivanti Portal

 

Note: Ivanti will not be releasing a patch for the 9.1Rx line of code. The 9.1Rx
line of code will reach end of support on December 31, 2024 and patches are
provided on a ‘best effort’ basis. The listed critical vulnerabilities were not
candidates for receiving a backported fix to the 9.x version of the software as
the risk of these vulnerabilities are greatly reduced if customers have the
Management interface access restricted to an internal network, which is Ivanti’s
recommendation and industry best practice. We strongly encourage customers to
upgrade to Ivanti Connect Secure 22.7 to benefit from important security updates
that we have made throughout the solution. 

Solution

These vulnerabilities are resolved on the latest version of the product and can
be accessed in the download portal (Login Required):

 * Ivanti Connect Secure 22.7R2.4
 * Ivanti Policy Secure 22.7R1.2

 

Acknowledgements

Ivanti would like to thank the following for reporting the relevant issues and
for working with Ivanti to help protect our customers:

 * n3k、Yue Liu From TIANGONG Team of Legendsec at QI-ANXIN Group
   (CVE-2024-37377, CVE-2024-37401)
 * Timothée Cocault of Orange (CVE-2024-9844) 

Note: Ivanti is dedicated to ensuring the security and integrity of our
enterprise software products. We recognize the vital role that security
researchers, ethical hackers, and the broader security community play in
identifying and reporting vulnerabilities. Visit HERE to learn more about our
Vulnerability Disclosure Policy.

 

FAQ

1: Are you aware of any active exploitation of these vulnerabilities? 

We are not aware of any customers being exploited by these vulnerabilities prior
to public disclosure. These vulnerabilities were disclosed through our
responsible disclosure program.   

2: How can I tell if I have been compromised?

 Currently, there is no known public exploitation of these vulnerabilities that
could be used to provide a list of indicators of compromise.

3: Are any of these vulnerability fixes backported to any of the 9.x versions?

No. The Pulse Connect Secure 9.x version of the product reached End of
Engineering June 2024 and is nearing End-of-Support on December 31, 2024.
Because of this, the 9.x version of Connect Secure receives backported fixes on
a ‘best effort’ basis. The listed critical vulnerabilities were not candidates
for receiving a backported fix to the 9.x version of the software as the risk of
these vulnerabilities are greatly reduced if customers have the Management
interface access restricted to an internal network, which is Ivanti’s
recommendation and industry best practice. We strongly encourage customers to
upgrade to Ivanti Connect Secure 22.7 to benefit from important security updates
that we have made throughout the solution.   

4: Why does Ivanti include CWE in their Security Advisories now?

 It is our priority to provide transparent and accurate information in our
security advisories. By adding CWEs it provides a consistent way of referring to
software weaknesses, such as cross-scripting or improper input validation. By
providing the CWE we are providing more information for our customers so that
they can make appropriate risk assessments when we release a security fix. 

5: Why has Ivanti disclosed so many vulnerabilities in the network security
products?

By signing the Secure by Design pledge, we are committing to a set of
principles, standards, and actions that will help us further elevate the
security of our products and better protect our customers. This includes
mitigating entire classes of vulnerabilities, increasing the adoption of
security patches, establishing a vulnerability disclosure policy and improving
our customers' ability to gather evidence of cybersecurity intrusions. Ivanti is
pleased that our products and our organization already meet many of these Secure
by Design principles, and we are looking closely at opportunities to enhance and
accelerate our efforts and practices throughout our organization and product
development lifecycle.    

For Ivanti, by signing this pledge, we are making a public commitment to raise
the bar and that we will be accountable for delivering.  We believe that
transparency is essential in building trust and fostering a broader culture of
security. 

6: What should I do if I need help?

If you have questions after reviewing this information, you can log a case
and/or request a call via the Success Portal

Article Number :
000096513
Article Promotion Level
Normal

 * 
 * Terms & Conditions
 * Privacy Policy
 * 

Copyright © 2019-2023 Ivanti. All rights reserved.



Loading



WE USE COOKIES 🍪

We use cookies to optimize the website performance, content, and the overall
experience.

Privacy Policy

Cookies Settings Got it



PRIVACY PREFERENCE CENTER




YOUR PRIVACY

YOUR PRIVACY

We use cookies on this site to improve your browser experience, analyze usage
and traffic, tailor future content to your preferences, and make decisions about
our website. Select "Allow All" to accept cookies and go directly to the site,
or select a category of cookies from the menu to learn more about each type of
cookie.
More information


 * STRICTLY NECESSARY
   
   STRICTLY NECESSARY
   
   Always Active
   Strictly Necessary
   
   These cookies are required to enable core site functionality.
   
   Cookie Details‎


 * PERFORMANCE COOKIES
   
   PERFORMANCE COOKIES
   
   Performance Cookies
   
   These cookies allow us to analyze site performance and usage, so we can
   ensure you have the best experience.
   
   Cookie Details‎


 * PERSONALIZATION COOKIES
   
   PERSONALIZATION COOKIES
   
   Personalization Cookies
   
   These cookies can be set through our website by our advertising partners.
   They can be used by these companies to build a profile of your interests and
   show you relevant ads on other websites.
   
   Cookie Details‎


 * FUNCTIONAL COOKIES
   
   FUNCTIONAL COOKIES
   
   Functional Cookies
   
   These cookies enable the website to provide enhanced functionality and
   personalization. They may be set by us or by third party providers whose
   services we have added to our pages. If you do not allow these cookies then
   some or all of these services may not function properly.
   
   Cookie Details‎

Back Button


ADVERTISING COOKIES

Filter Button
Consent Leg.Interest
Select All Vendors
Select All Vendors
Select All Hosts

Select All



Clear Filters

Information storage and access
Apply
Save Settings Allow All