Ivanti Patches Critical Vulnerabilities in Neurons for ITSM, Virtual Traffic Manager

Share This Post

IT software company Ivanti on Tuesday announced patches for eight vulnerabilities in Neurons for ITSM, Avalanche, and Virtual Traffic Manager, including two critical-severity flaws.

Two security defects were resolved in Neurons for ITSM, including a critical-severity information disclosure issue that could allow “an unauthenticated attacker to obtain the OIDC client secret via debug information”. The bug is tracked as CVE-2024-7569 (CVSS score of 9.6).

Ivanti also announced patches for CVE-2024-7570 (CVSS score of 8.3), a high-severity improper certificate validation flaw that could allow a remote attacker in a man-in-the-middle (MiTM) position “to craft a token that would allow access to ITSM as any user”.

Ivanti announced patches for Neurons for ITSM versions 2023.2, 2023.3, and 2023.4. The company applied the fixes to all Neurons for ITSM Cloud landscapes on August 4.

The software company also announced the rollout of patches for a critical-severity bug in Virtual Traffic Manager (vTM ) that could be exploited remotely to bypass authentication and create an administrator user in the admin panel.

Tracked as CVE-2024-7593 (CVSS score of 9.8), the security defect was resolved with the release of vTM versions 22.2R1 and 22.7R2. Ivanti says patches will also be included in vTM versions 22.3R3, 22.5R2, and 22.6R2, which will be released next week.

On Tuesday, Ivanti also announced patches for five high-severity vulnerabilities in Avalanche, including four that could allow remote, unauthenticated attackers to mount denial-of-service (DoS) attacks or read arbitrary files on the server.

The fifth bug, an improper input validation issue, could be exploited to achieve remote code execution (RCE). However, an attacker would have to be authenticated as an administrator user to exploit the flaw.

Advertisement. Scroll to continue reading.

All five security defects were resolved with the release of Avalanche version 6.4.4. Ivanti recommends that customers download the Avalanche installer and upgrade to the patched version of the product.

Ivanti says it is not aware of any of these vulnerabilities being exploited in the wild, but points out that a proof-of-concept (PoC) exploit is available for the critical vTM flaw. 

Additional information can be found in Ivanti’s August security advisory.

Related: Ivanti Issues Hotfix for High-Severity Endpoint Manager Vulnerability

Related: Siemens Patches Power Grid Product Flaw Allowing Backdoor Deployment

Related: ExpressVPN User Data Exposed Due to Bug

Related: GitLab Security Update Patches Critical Vulnerability

This post was originally published on this site

More Articles
Article

Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .