ivanti
12
Apr

Ivanti addresses critical security flaws

Ivanti has issued security patches to fix four vulnerabilities affecting Connect Secure and Policy Secure Gateways, which could potentially lead to code execution and denial-of-service (DoS) attacks.

These flaws could lead to code execution and denial-of-service (DoS) attacks.

The vulnerabilities include a heap overflow flaw (CVE-2024-21894) in the IPSec component, enabling unauthenticated attackers to crash the service or execute arbitrary code. Another null pointer dereference vulnerability (CVE-2024-22052) in IPSec allows for DoS attacks. Additionally, two more heap overflow vulnerabilities (CVE-2024-22053) and an XML entity expansion vulnerability (CVE-2024-22023) in the SAML component could also result in DoS attacks or memory content disclosure.

Ivanti’s CEO, Jeff Abbott, acknowledged the recent security events and emphasized the company’s commitment to improving its security posture and processes. This includes adopting secure-by-design principles, enhancing transparency with customers, and restructuring its engineering, security, and vulnerability management practices. Ivanti plans to increase internal scanning, testing capabilities, and engagement with third-party security researchers, along with enhancing its bug bounty program.

ivanti

Despite the vulnerabilities, Ivanti stated it has no evidence of customer exploitation at the time of disclosure.

In summary, Ivanti has addressed critical vulnerabilities in its products, emphasizing a proactive approach to security improvement and collaboration with the cybersecurity community to enhance its defenses and protect its customers.