Ivanti on Tuesday rolled out fixes to tackle many critical security flaws in Endpoint Manager (EPM) that could be exploited to achieve distant code execution less than selected conditions.
Six of the 10 vulnerabilities – from CVE-2024-29822 as a result of CVE-2024-29827 (CVSS scores: 9.6) – relate to SQL injection flaws that allow an unauthenticated attacker inside the identical network to execute arbitrary code.
The remaining 4 bugs — CVE-2024-29828, CVE-2024-29829, CVE-2024-29830, and CVE-2024-29846 (CVSS scores: 8.4) — also tumble below the exact group with the only alter becoming that they demand the attacker to be authenticated.
The shortcomings effects the Core server of Ivanti EPM versions 2022 SU5 and prior.
The enterprise has also dealt with a high-severity security flaw in Avalanche version 6.4.3.602 (CVE-2024-29848, CVSS score: 7.2) that could permit an attacker to realize distant code execution by uploading a specifically crafted file.
In addition, patches have been delivered for 5 other large-severity vulnerabilities: an SQL injection (CVE-2024-22059) and an unrestricted file upload bug (CVE-2024-22060) in Neurons for ITSM, a CRLF injection flaw in Join Protected (CVE-2023-38551), and two nearby privilege escalation issues in the Secure Entry consumer for Windows (CVE-2023-38042) and Linux (CVE-2023-46810).
Ivanti stressed that there is no proof of the flaws becoming exploited in the wild or that they were “launched into our code development course of action maliciously” by way of a source chain attack.
The growth arrives as facts emerged about a critical flaw in the open-resource edition of the Genie federated Big Info orchestration and execution engine formulated by Netflix (CVE-2024-4701, CVSS rating: 9.9) that could lead to remote code execution.
Described as a path traversal vulnerability, the shortcoming could be exploited to compose an arbitrary file on the file technique and execute arbitrary code. It impacts all versions of the software package prior to 4.3.18.
The issue stems from the truth that Genie’s Relaxation API is intended to take a person-supplied filename as aspect of the request, therefore enabling a malicious actor to craft a filename these types of that it can break out of the default attachment storage route and write a file with any person-specified title to a route specified by the actor.
“Any Genie OSS people functioning their individual occasion and relying on the filesystem to shop file attachments submitted to the Genie software might be impacted,” the maintainers stated in an advisory.
“Employing this strategy, it is achievable to write a file with any consumer-specified filename and file contents to any locale on the file system that the Java process has generate obtain to – perhaps leading to remote code execution (RCE).”
That explained, people who do not retail store the attachments locally on the underlying file process are not prone to this issue.
“If profitable, these types of an attack could idiot a web application into looking through and therefore exposing the contents of information outside of the document root directory of the software or the web server, like qualifications for back again-close systems, application code and knowledge, and sensitive functioning system information,” Distinction Security researcher Joseph Beeton stated.
Earlier this month, the U.S. authorities warned of ongoing attempts by threat actors to exploit directory traversal problems in application to breach targets, calling on developers to undertake a secure by structure approach for eradicating such security holes.
“Incorporating this risk mitigation at the outset – commencing in the design and style section and continuing through products release and updates – lessens the two the burden of cybersecurity on buyers and risk to the public,” the authorities reported.
The disclosure also comes in the wake of several vulnerabilities (CVE-2023-5389 and CVE-2023-5390) in Honeywell’s Management Edge Unit Functions Controller (UOC) that can result in unauthenticated remote code execution.
“An attacker already on an OT network would use a malicious network packet to exploit this vulnerability and compromise the digital controller,” Claroty stated. “This attack could be carried out remotely in order to modify files, resulting in whole regulate of the controller and the execution of destructive code.”
Identified this post intriguing? Abide by us on Twitter and LinkedIn to read through a lot more distinctive content we put up.
Some parts of this article are sourced from:
thehackernews.com