Ivanti has released security updates to fix multiple critical vulnerabilities in its Connect Secure (ICS), Policy Secure (IPS), and Cloud Services Application (CSA) products. These flaws could allow attackers to execute arbitrary code and gain restricted access, putting users at risk. The vulnerabilities include a file name control issue in ICS and IPS that allows remote authenticated attackers with admin privileges to write arbitrary files.
A stack-based buffer overflow in ICS enables remote code execution. Code injection flaws in ICS, IPS, and CSA also allow remote authenticated attackers with admin rights to achieve remote code execution. Ivanti has addressed these issues in Connect Secure 22.7R2.6, Policy Secure 22.7R1.3, and CSA 5.0.5. While the company is not aware of any active exploitation, it urges users to apply the patches immediately as Ivanti appliances are often targeted by threat actors.
JPCERT/CC revealed that a patched Ivanti Connect Secure vulnerability was exploited to deliver an updated version of the SPAWN malware framework called SPAWNCHIMERA.
Ivanti fixes Connect Secure flaws
This malware combines functions of SPAWNANT, SPAWNMOLE, and SPAWNSNAIL into one, with modifications to inter-process communication and a function to prevent other actors from exploiting the same flaw.
Ivanti acknowledged that its edge products have been targeted by sophisticated nation-state attacks and is working to improve its software security. Efforts include enhanced internal scanning, manual testing, increased collaboration with the security community, and an improved responsible disclosure process. In related news, Bishop Fox released details of a patched flaw in SonicWall SonicOS that could bypass authentication in firewalls, with nearly 4,500 internet-facing SonicWall SSL VPN servers remaining unpatched.
Akamai also disclosed two vulnerabilities in Fortinet FortiOS that could lead to denial-of-service and remote code execution, which were resolved by Fortinet. Arctic Wolf observed exploitation attempts of the SonicWall flaw shortly after a proof-of-concept was made available. With multiple vulnerabilities being actively targeted, organizations must stay updated with patches and continuously monitor their security posture to prevent exploitation.
