blog.sonicwall.com
Open in
urlscan Pro
107.154.76.50
Public Scan
URL:
https://blog.sonicwall.com/en-us/2024/11/cve-2024-9379-ivanti-cloud-service-appliance-authenticated-sql-injection/
Submission: On November 07 via api from IN — Scanned from DE
Submission: On November 07 via api from IN — Scanned from DE
Form analysis 1 forms found in the DOM
GET https://blog.sonicwall.com/en-us/
<form action="https://blog.sonicwall.com/en-us/" id="searchform" method="get" class="">
<div>
<input type="submit" value="" id="searchsubmit" class="button avia-font-entypo-fontello">
<input type="text" id="s" name="s" value="" placeholder="Search">
</div>
</form>Text Content
* Home * Topics * All Posts * Boundless Cybersecurity * BYOD and Mobile Security * Cloud Security * Education * Email Security * Government * Healthcare * Industry News and Events * Network Security * Partners * Retail * Small & Medium Businesses * SonicWall Community * Threat intelligence * Wireless Security * Authors * English * Search * * * * * * * * * * Menu * Facebook * Twitter * Linkedin * Instagram * Mail * Rss CVE-2024-9379: IVANTI CLOUD SERVICE APPLIANCE AUTHENTICATED SQL INJECTION By Security News November 1, 2024 OVERVIEW The SonicWall Capture Labs threat research team became aware of an authenticated SQL injection vulnerability affecting Ivanti Cloud Service Appliances (CSA). Identified as CVE-2024-9379 and with a moderate score of 6.5 CVSSv3, the vulnerability is more severe than it initially appears due to reported exploitation attempts. Recently, in its October security update, Ivanti announced, “We are aware of a limited number of customers running CSA 4.6 patch 518 and prior who have been exploited when CVE-2024-9379, CVE-2024-9380, or CVE-2024-9381 are chained with CVE-2024-8963,”. Labeled as a SQL Injection vulnerability and categorized as CWE-89, this vulnerability allows authenticated attackers to run arbitrary SQL statements and compromise Server Database. No PoC is available yet publicly, but according to CISA, out of three Ivanti CSA vulnerabilities that are exploited in the wild, CVE-2024-9379 is one of them. With Admin privileges, an attacker can compromise the Ivanti Server database by injecting crafted SQL queries into vulnerable versions of Ivanti CSA. Users are strongly encouraged to update CSA version to 5.0.2 TECHNICAL OVERVIEW The Ivanti Cloud Services Appliance (CSA) provides secure communication and functionality over the Internet. It acts as a meeting platform where the console and managed devices are connected to the Internet—even if they are behind firewalls or use a proxy to access the Internet. CVE-2024-9379 is a critical SQL injection vulnerability found in Ivanti’s Cloud Services Appliance (CSA). This flaw enables an authenticated attacker to execute arbitrary SQL commands by injecting malicious inputs into specific fields of the administrative web interface. SQL injection occurs when an application inadequately sanitizes user inputs, allowing the attacker to manipulate the queries sent to the database. In this case, the attacker must possess administrative credentials to access the vulnerable fields. This issue can be exploited remotely and could lead to unauthorized access to sensitive data. TRIGGERING THE VULNERABILITY Given these prerequisites, the exploitation pathway for this vulnerability is more targeted and requires an attacker with access credentials and specific knowledge of the application structure. Here’s how these conditions impact the risk and vulnerability triggering strategies: * Administrative Credentials: Since the attack requires administrative-level access, it limits the pool of potential attackers to those who can compromise credentials. According to CISA, CVE-2024-8963 may be facilitating credential compromise. * Identification of Vulnerable Input Fields: The attacker must know the specific vulnerable input field, which typically requires access to the application’s source code, configurations, or significant reconnaissance efforts. * POST Request with Malicious SQL: This step requires attackers to craft a valid POST request that includes necessary access tokens, making exploitation more complex and potentially easier to detect. EXPLOITATION Successful exploitation could allow attackers to manipulate or delete critical data and escalate privileges. When combined with other vulnerabilities, the attack could lead to: * Full Compromise of Database Integrity: Attackers could modify, delete, or exfiltrate database records, affecting data integrity and confidentiality. * Privilege Escalation: By leveraging this vulnerability, attackers could gain higher-level permissions, granting broader access across the system. * Remote Code Execution (RCE): Combined with other vulnerabilities, this vulnerability allows the attacker to execute arbitrary commands, compromising the host system and potentially leading to further infiltration. * Service Disruption: Exploiting specific SQL commands could lead to system crashes or instability, interrupting services and affecting availability. Suppose the username field in the CSA admin panel is used to retrieve data from the database. An attacker could enter a malicious payload as shown in Figure 1, causing the database to pause execution for 10 seconds. Here an attacker is injecting into the username filled which is used in the “WHERE” clause of a “SELECT” statement. Repeated requests using this kind of payload can lead to performance impacts, resulting in service disruption. Figure 1: Denial of Service using SQL query Another possibility is an attack could use the “;” to terminate the intended query and insert a new SQL query which would modify the database. As an example, in Figure 2 the injected “UPDATE” command may grant the attacker’s user account the admin role, giving unauthorized access to privileged features within Ivanti CSA. Figure 2: Privilege Escalation using SQL query SONICWALL PROTECTIONS To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released: * IPS:20455 – Ivanti Cloud Service Appliance SQL Injection REMEDIATION RECOMMENDATIONS According to the advisory, considering the severe consequences of this vulnerability and the trend of nefarious activists trying to leverage the exploit in the wild, users are strongly encouraged to upgrade their CSA instances to version 5.0.2 to address the vulnerability. RELEVANT LINKS * NVD * CISA * Known-Exploited-Vulnerabilities-Catalog * Ivanti * Ivanti-October-update * * * * * Security News The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks. Categories: Threat intelligence Tags: Security News SHARE THIS ENTRY * Share on Facebook * Share on Twitter * Share on Google+ * Share on Pinterest * Share on Linkedin * Share on Tumblr * Share on Vk * Share on Reddit * Share by Mail https://d3ik27cqx8s5ub.cloudfront.net/blog/media/uploads/sec-news-header-3.png 500 1200 Security News https://blog.sonicwall.com/wp-content/uploads/images/logo/SonicWall_Registered-Small.png Security News2024-11-01 06:45:452024-11-01 12:18:28CVE-2024-9379: Ivanti Cloud Service Appliance Authenticated SQL Injection RECOMMENDED CYBER SECURITY STORIES APT 33, 34, 35, 39, Destructive ZeroClear Adobe Reader and Acrobat Zero Day exploit (Dec 9, 2011) Linux-based ransomware found targeting VMWare ESXi Servers Sunhillo SureLine Command Injection Vulnerability Adobe Flash Zero day (CVE-2015-0311) (Jan 26, 2015) Microsoft Word Zero Day(CVE-2014-1761) Exploit Analysis (Apr 4, 2014) Novell eDirectory NCP Stack Buffer Overflow (Feb 8, 2013) Android Windseeker with injection and hooking mechanisms (Oct 3, 2014) Connect with an Expert SEARCH FACEBOOK Recent Tags Recent * SonicWall TZ80: Future-Proofing Network Security for SOHO,...November 6, 2024 - 6:32 am * SonicWall Recognized in the 2024 CRN Edge Computing 100...November 4, 2024 - 1:34 pm * GoZone Ransomware Adopts Coercive Tactics to Extract Pa...November 4, 2024 - 10:39 am * Stealc Malware Checks Everything — Even the Screen Re...November 4, 2024 - 10:35 am Tags 802.11AC Advanced Threats Antivirus Awards Capture Cloud Platform Channel Cloud App Security CRN Cyberattack Cyber Security Cybersecurity cyberthreats DDoS Education Email Security Encrypted Attacks Encrypted Threats Endpoint Protection endpoint security Firewall Industry Awards IoT Malware MSSP Network Security news Next-Gen Firewalls next generation firewalls Phishing Ransomware Real-Time Deep Memory Inspection (RTDMI) Resources Resources RSA Conference SecureFirst Partner Program Secure Mobile Access Security Security News SMB SonicWall Capture ATP SonicWall Capture Client SonicWall WiFi Cloud Manager Threat Intelligence Threat Report zero-day ABOUT SONICWALL About Us Leadership Awards News Press Kit Careers Contact Us PRODUCTS Firewalls Advanced Threat Protection Remote Access Email Security SOLUTIONS Advanced Threats Risk Management Industries Managed Security Use Cases Partner Enabled Services CUSTOMERS How To Buy MySonicWall.com Loyalty & Trade-In Programs SUPPORT Knowledge Base Video Tutorials Technical Documentation Partner Enabled Services Support Services CSSA and CSSP Certification Training Contact Support Community © Copyright 2023 SonicWall. All Rights Reserved. * Facebook * Twitter * Linkedin * Instagram * Mail * Rss Government Organizations Face Escalating Cyber Threats Amid Election Concerns:... 3 & Free with Cloud Secure Edge: The Time to Upgrade is Now PIN IT ON PINTEREST Scroll to top