Ivanti CSA (Cloud Services Appliance) zero-day Attack

What is the Attack?Attackers are actively exploiting multiple zero-day vulnerabilities affecting Ivanti CSA (Cloud Services Appliance) that could lead an attacker to gain admin access, bypass security measures, run arbitrary SQL commands, and execute code remotely.In a recent incident response engagement, FortiGuard Incident Response (FGIR) services were engaged where an advanced adversary was observed exploiting vulnerabilities affecting the Ivanti Cloud Services Appliance (CSA). To read more visit: Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA | FortiGuard Labs (fortinet.com)CVE-2024-9379: SQL injection in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.CVE-2024-9380: An OS command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to obtain remote code execution.CVE-2024-9381: Path traversal in Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to bypass restrictions.CVE-2024-8963: Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.What is the recommended Mitigation?Ivanti has released updates for Ivanti CSA (Cloud Services Appliance) which addresses these vulnerabilities. Security Advisory Ivanti CSA (Cloud Services Appliance)In the advisory, Ivanti has mentioned that they have observed limited exploitation of CSA 4.6 when CVE-2024-9379 or CVE-2024-9380 are chained with CVE-2024-8963.What FortiGuard Coverage is available?FortiGuard recommends users apply the vendor’s fixes as mentioned in the advisory. FortiGuard Web Filtering service has blocked all the known Indicators of Compromise (IoCs) captured during the IR engagement.FortiGuard Antivirus service has blocked all the known malware used by the threat actor in the related campaign.FortiGuard IPS protection is available for CVE-2024-8963 “Ivanti.Cloud.Service.Appliance.datetime.Command.Injection”, and CVE-2024-9380 “Ivanti.Cloud.Service.Appliance.reports.php.OS.Command.Injection” to defend against the attacks targeting the vulnerable Ivanti CSA systems.The FortiGuard Incident Response team can be engaged to help with any suspected compromise.