Ivanti Virtual Traffic Manager Flaw Let Hackers Create Rogue Admin Accounts

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Ivanti Virtual Traffic Manager has been discovered with a critical vulnerability which was associated with authentication bypass. This vulnerability has been assigned with CVE-2024-7593 and the severity was given as 9.8 (Critical).

However, Ivanti has patched this vulnerability and released a security advisory to address it.

Ivanti confirmed that there is no evidence of active exploitation of this vulnerability, and a proof of concept for it is publicly available.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Ivanti Virtual Traffic Manager Vulnerability

This vulnerability allows an unauthenticated remote threat actor to bypass the admin panel authentication and perform malicious actions.

Further, a threat actor can also create an administrator account on the vulnerable Ivanti instances as a backdoor.

This particular vulnerability exists due to the incorrect implementation of the authentication algorithm in Ivanti vTM. Nevertheless, this vulnerability exists in all versions of Ivanti vTM other than versions 22.2R1 or 22.7R2.

Ivanti customers who have their management interface inside an internal network or Private IP have reduced attack surface.

Ivanti also advises its users to restrict access to the management interface and ensure they are placed on a private IP with restricted access.

Additionally, Ivanti users are advised to upgrade their Ivanti instances with the latest available patch 22.2R1 (released 26 March 2024) or 22.7R2 (released 20 May 2024) for fixing this vulnerability.

Product Name Affected Version(s) Resolved Version(s) Patch Availability
Ivanti Virtual Traffic Manager 22.2 22.2R1 Available
Ivanti Virtual Traffic Manager 22.3 22.3R3 Week of August 19th
Ivanti Virtual Traffic Manager 22.3R2 22.3R3 Week of August 19th
Ivanti Virtual Traffic Manager 22.5R1 22.5R2 Week of August 19th
Ivanti Virtual Traffic Manager 22.6R1 22.6R2 Week of August 19th
Ivanti Virtual Traffic Manager 22.7R1 22.7R2 Available
Affected version (Source: Ivanti)

Workaround

As a workaround for this vulnerability, Ivanti instructs their users to follow the below steps to limit Admin access to the Management interface internal on the network through private or corporate network. The steps are as follows:

  • In the VTM server, go to System > Security then click the drop down for the Management IP Address and Admin Server Port section
  • Click the “bindip“, select the Management Interface IP Address
  • As an alternative, users can also use the setting directly above the “bindip” setting to restrict access to trusted IP addresses, further restricting who can access the interface.
Source ; Ivanti

To check if the instances are terminated, they can review the “Audit Logs Output” to see if an admin user is added. 

Users are advised to keep all of the instances updated to the latest version to prevent the exploitation of this vulnerability. Ivanti also list End of Engineering and End of Support schedule for Ivanti vTM, it can be found here.

“We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure. These vulnerabilities were disclosed through our responsible disclosure program,” Ivanti added.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces