Ivanti has alerted customers of yet another high-severity security flaw in its Connect Secure, Policy Secure, and ZTA gateway devices that could allow attackers to bypass authentication.
The issue, tracked as CVE-2024-22024, is rated 8.3 out of 10 on the CVSS scoring system.
βAn XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication,β the company said in an advisory.
The company said it discovered the flaw during an internal review as part of its ongoing investigation into multiple security weaknesses in the products that have come to light since the start of the year, including CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893.
CVE-2024-22024 affects the following versions of the products -
Patches for the bug are available in Connect Secure versions 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3, and 22.6R2.2; Policy Secure versions 9.1R17.3, 9.1R18.4, and 22.5R1.2; and ZTA versions 22.5R1.6, 22.6R1.5, and 22.6R1.7.
Ivanti said there is no evidence of active exploitation of the flaw, but with CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 coming under broad abuse, itβs imperative that users move quickly to apply the latest fixes.
Cybersecurity firm watchTowr, which said it disclosed CVE-2024-22024 to Ivanti in early February 2024, noted the issue stems from an incorrect fix for CVE-2024-21893 that was introduced in the latest version of the software.
βXXE is an introduction to a variety of impacts: DOS, Local File Read, and SSRF,β it said. βThe impact, plainly, of the SSRF depends on what protocols are available for usage.β
Found this article interesting? Follow us on Twitter ο and LinkedIn to read more exclusive content we post.