Ivanti Cloud Services Appliance CVE-2024-8963: Chained Exploitation

September 2024 brought yet another chapter in Ivanti's difficult security year. The company disclosed CVE-2024-8963, a critical path traversal vulnerability in the Ivanti Cloud Services Appliance (CSA), which was being actively exploited in the wild in combination with CVE-2024-8190, a command injection vulnerability disclosed just days earlier.

This was the third major wave of Ivanti product exploitation in 2024, following the Ivanti Connect Secure vulnerabilities in January (CVE-2024-21887/CVE-2023-46805) and the Ivanti EPMM vulnerabilities in the spring. The pattern of chained zero-day exploitation against Ivanti products had become a defining theme of the year.

The Vulnerability Chain

CVE-2024-8963 (CVSS 9.4): A path traversal vulnerability in Ivanti CSA version 4.6 Patch 518 and earlier. The flaw allows an unauthenticated attacker to access restricted functionality by manipulating URL paths to bypass authentication checks.

CVE-2024-8190 (CVSS 7.2): An OS command injection vulnerability in the same CSA versions. This vulnerability requires authenticated access to exploit, but when chained with CVE-2024-8963, the authentication requirement is bypassed.

The attack chain works as follows:

1. The attacker sends a crafted HTTP request that exploits the path traversal (CVE-2024-8963) to access an administrative endpoint without authentication.
2. Through this endpoint, the attacker submits a request containing OS command injection payloads (CVE-2024-8190).
3. The injected commands execute on the underlying Linux system with the privileges of the CSA web application.
4. The attacker establishes persistent access through web shells or reverse shells.

Ivanti CSA 4.6 had already reached end-of-life, and Ivanti had released CSA 5.0 as the recommended upgrade path. However, many organizations were still running CSA 4.6, and the exploitation occurred before most could migrate.

Timeline of Events

• September 10, 2024: Ivanti discloses CVE-2024-8190 and releases CSA 4.6 Patch 519.
• September 13, 2024: CISA adds CVE-2024-8190 to the KEV catalog, confirming active exploitation.
• September 19, 2024: Ivanti discloses CVE-2024-8963, confirming it is being chained with CVE-2024-8190 in active attacks. The advisory notes that CSA 4.6 Patch 519 addressed this vulnerability.
• September 2024 (ongoing): FortiGuard Labs and other researchers identify additional vulnerabilities in CSA 4.6 that were being exploited alongside these two, including CVE-2024-9379 (SQL injection) and CVE-2024-9380 (OS command injection).
• October 2024: CISA publishes a joint advisory detailing the full exploitation chain and indicators of compromise.

Observed Exploitation

CISA and FBI released a detailed advisory in October 2024 describing the tactics, techniques, and procedures (TTPs) used by threat actors exploiting the Ivanti CSA vulnerability chain.

The observed attack flow:

1. Initial exploitation: Attackers chained CVE-2024-8963 and CVE-2024-8190 to gain unauthenticated command execution.
2. Web shell deployment: Multiple web shells were deployed in the CSA's web root directory for persistent access. CISA identified several distinct web shell variants, suggesting multiple threat groups or at least multiple operators.
3. Credential harvesting: Attackers accessed the CSA's database to extract stored credentials, including Active Directory service account credentials used for integration.
4. Lateral movement: Using harvested credentials, attackers pivoted from the CSA to internal Active Directory environments.
5. DNS tunneling: Some attackers used DNS tunneling for command-and-control communication, making detection more difficult.

In one documented case, the attacker exploited the initial vulnerabilities, deployed a web shell, and then patched the vulnerabilities themselves to prevent other attackers from accessing the same system. This "patch and own" behavior has been observed in other campaigns and indicates a sophisticated, persistent threat actor.

The Ivanti Problem in 2024

The Ivanti CSA exploitation came in the context of a year that was exceptionally challenging for Ivanti's security reputation:

January 2024: CVE-2024-21887 and CVE-2023-46805 in Ivanti Connect Secure and Policy Secure were exploited as zero-days by Chinese state-sponsored groups (UTA0178/UNC5325). These vulnerabilities affected VPN appliances and led to CISA issuing an emergency directive requiring federal agencies to disconnect affected devices.

February 2024: Additional vulnerabilities CVE-2024-21893 (SSRF) and CVE-2024-22024 (XXE) were discovered in Connect Secure during incident response, with exploitation beginning almost immediately after disclosure.

March-April 2024: CVE-2024-21894 in Ivanti Connect Secure, another heap overflow vulnerability.

September 2024: The CSA vulnerability chain (CVE-2024-8963, CVE-2024-8190, and later CVE-2024-9379/9380).

This pattern raised serious questions about Ivanti's product security practices and the security of their legacy codebases. CSA 4.6 was based on an older architecture that had not benefited from modern secure development practices.

Lessons for Defenders

End-of-life products are actively targeted: CSA 4.6 was end-of-life when these vulnerabilities were exploited. Attackers specifically target EOL products because they know many organizations are slow to migrate, and the vendor's ability to respond with patches is limited.

Perimeter devices need dedicated monitoring: CSA, like VPNs and firewalls, sits at the network perimeter. These devices often lack the endpoint detection capabilities present on servers and workstations. Organizations need dedicated monitoring for their perimeter appliances, including:

• File integrity monitoring on the appliance filesystem.
• Network traffic analysis for anomalous outbound connections.
• Regular comparison of appliance configuration against known-good baselines.

Assume breach during vulnerability response: When a perimeter device vulnerability is disclosed, assume that exploitation may have already occurred. Patching prevents future exploitation but does not address existing compromises. Post-patch forensic investigation should be standard practice.

Migration timelines need to account for security risk: Many organizations delayed migration from CSA 4.6 to 5.0 because of operational concerns. The security cost of running EOL software needs to be factored into migration planning.

Mitigation Actions

For organizations still running Ivanti CSA:

1. Migrate to CSA 5.0 immediately. CSA 4.6 is end-of-life and should not be in production.
2. Review CSA logs for indicators of compromise published in CISA's advisory (AA24-XXX).
3. Check for web shells in the CSA web root and any writable directories.
4. Rotate all credentials stored in or accessible through the CSA, including AD service accounts.
5. Conduct a forensic investigation if any indicators of compromise are found. Given the lateral movement techniques observed, a CSA compromise should be treated as a potential network-wide compromise.

How Safeguard.sh Helps

Ivanti's 2024 vulnerability pattern demonstrates why perimeter appliances must be part of your supply chain inventory.

• End-of-life tracking identifies components in your environment that have reached or are approaching end-of-life, flagging the security risk before vulnerabilities are discovered.
• Vulnerability alerting provides immediate notification when CVEs are published for components in your SBOM, including network appliances like Ivanti CSA.
• Supply chain risk scoring considers factors like vendor security track record, patch velocity, and EOL status when calculating the risk of each component in your environment.
• Migration planning support provides visibility into which components need to be upgraded, helping you prioritize migrations based on security risk rather than operational convenience alone.

When a vendor has multiple zero-day exploitation campaigns in a single year, the security posture of their products should be a primary factor in your procurement and lifecycle decisions. Safeguard.sh gives you the data to make those decisions.