New Ivanti Auth Bypass Flaw Affects Connect Secure and ZTA Gateways

New Ivanti Auth Bypass Flaw Affects Connect Secure and ZTA Gateways

Technology

Feb 09, 2024NewsroomVulnerability / Zero Day

New Ivanti Auth Bypass Flaw Affects Connect Secure and ZTA Gateways

Ivanti has alerted customers of yet another high-severity security flaw in its Connect Secure, Policy Secure, and ZTA gateway devices that could allow attackers to bypass authentication.

The issue, tracked as CVE-2024-22024, is rated 8.3 out of 10 on the CVSS scoring system.

“An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication,” the company said in an advisory.

The company said it discovered the flaw during an internal review as part of its ongoing investigation into multiple security weaknesses in the products that have come to light since the start of the year, including CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893.

Cybersecurity

CVE-2024-22024 affects the following versions of the products –

  • Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, and 22.5R1.1)
  • Ivanti Policy Secure (version 22.5R1.1)
  • ZTA (version 22.6R1.3)

Patches for the bug are available in Connect Secure versions 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3, and 22.6R2.2; Policy Secure versions 9.1R17.3, 9.1R18.4, and 22.5R1.2; and ZTA versions 22.5R1.6, 22.6R1.5, and 22.6R1.7.

Ivanti said there is no evidence of active exploitation of the flaw, but with CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 coming under broad abuse, it’s imperative that users move quickly to apply the latest fixes.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Read original source here.

Products You May Like

Articles You May Like

Health and Human Services Pick’s Medical Conspiracy Theories
EVERYDAY CARRY: Nordgreen | FashionBeans
Are We Entering the Age of Interactive TV?
Drew Carey Accused of ‘Telling’ Player How to Win ‘Line ‘Em Up’ Game
North Korean Hackers Steal $10M with AI-Driven Scams and Malware on LinkedIn