Subj : US government flags major Ivanti security flaw, so patch now
To   : All
From : TechnologyDaily
Date : Thu Oct 03 2024 16:15:05

US government flags major Ivanti security flaw, so patch now

Date:
Thu, 03 Oct 2024 15:03:00 +0000

Description:
Federal agencies don't have long to apply Ivanti patch following CISA warning.

FULL STORY
======================================================================

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a 
known Ivanti bug to its Known Exploited Vulnerabilities (KEV) catalog, 
signalling that its being actively abused in the wild. 

The bug that was just added is an SQL Injection vulnerability , found this 
spring in the Core server of Ivanti Endpoint Manager (EPM) 2022 SU5 and 
prior. It grants an unauthenticated attacker within the same network the 
ability to run arbitrary code. It is tracked as CVE-2024-29824, and has a 
severity score of 9.6 (critical). 

Federal agencies now have three weeks to apply the patch, or stop using the 
product altogether - and organizations in the private sector should take 
note, too. Renewed commitment to security 

Ivanti Endpoint Manager (EPM) is a software solution designed for IT asset 
management, offering tools to manage, secure, and troubleshoot endpoints like 
desktops, laptops, and mobile devices across an organization. It helps 
automate patching, software distribution, and inventory control, and supports 
Windows, macOS, Chrome OS, and different IoT operating systems. 

The company says it patched the vulnerability in May 2024, together with five 
other RCE flaws. It, too, recently confirmed observing attacks in the wild: 
"At the time of this update, we are aware of a limited number of customers 
who have been exploited," the company concluded. 

Ivanti is a major technology provider in the B2B sector, with over 40,000 
customers globally, and clients spanning various industries, including 
government, healthcare, education, financial services, and more. These 
organizations use Ivanti's solutions for IT management, security, and asset 
management, and as such, they are a major target for cybercriminals. 

In recent years, Ivanti has been at the center of much controversy, since 
many of its products were found to be severely flawed. In response, Ivanti 
CEO Jeff Abbott issued an open letter to customers and partners in April 
2024, promising a renewed commitment to security. 

 Via BleepingComputer More from TechRadar Pro Healthcare organizations are 
having to pay millions to solve ransomware attacks Here's a list of the best 
firewalls today These are the best endpoint protection tools right now



======================================================================
Link to news story:
https://www.techradar.com/pro/security/us-government-flags-major-ivanti-securi
ty-flaw-so-patch-now


--- Mystic BBS v1.12 A47 (Linux/64)
 * Origin: tqwNet Technology News (1337:1/100)

.