Overview
Ivanti is still undergoing exploitation by threat actors targeting CVE-2023-46805 and CVE-2024-21887 in Connect Secure and Policy Secure Gateways. Threat actors are still capturing credentials and dropping web shells to enable further compromise of enterprise networks. Some actors have been able to avoid detection and mitigation methods, allowing them to exploit weaknesses, move laterally, and escalate privileges. If you or your organisation is running either of the following the advice is to utilise continuous threat hunting on any systems currently or recently connected to the Ivanti device:
- Connect Secure 9.x or 22.x
- Policy Secure Gateway
New vulnerabilities in the same products have been identified. CVE-2024-21888 is a privilege escalation vulnerability, while CVE-2024-21891 is a server-side request forgery vulnerability.
Cisco have released a security update to address CVE-2024-20253 affecting the following products in the default configuration:
- Unified Communications Manager (Unified CM) (CSCwd64245)
- Unified Communications Manager IM & Presence Service (Unified CM IM&P) (CSCwd64276)
- Unified Communications Manager Session Management Edition (Unified CM SME) (CSCwd64245)
- Unified Contact Center Express (UCCX) (CSCwe18773)
- Unity Connection (CSCwd64292)
- Virtualized Voice Browser (VVB) (CSCwe18840)
The vulnerability could allow attackers to execute arbitrary code on affected devices.
Juniper have released a security bulletin addressing multiple vulnerabilities found in Junos OS SRX Series and EX Series. CVE-2024-21620 has a base score of 8.8, classing it as high-severity, is a cross-site scripting vulnerability that can allow unauthorised attackers to construct a URL, which when visited by another user allows the attacker to execute commands with the target’s permission.
Vulnerabilities in Juniper Secure Analytics applications have been identified ranging in significance from critical (i.e. CVE-2023-37920 and CVE-2021-4048) to medium-severity.
Mastodon the social networking platform has released a security update to fix a critical vulnerability to could allow attackers to impersonate other users and take over their numbers. To protect themselves from account hi-jacking, Mastodon users would need to make sure that the admins of instances that they participate in have upgraded to safe version.
Moby and OCI have released updates addressing multiple vulnerabilities affecting Docker-related components, including Moby BuildKit and OCI Runc. CVE-2024-23652 is categorised as critical, with a base score of 10.0, and Dockerfile using RUN --mount could trick the feature that removes empty files created for the mount points into removing a file outside the container, from the host system.
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
Ivanti – Latest and Ongoing advice.
Cisco – Security Advisory
Juniper – Junos OS and Juniper Secure Analytics
Mastodon – Security Advisory
Moby and OCI – Moby BuildKit and OCI Runc
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.