Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?
Ivanti Patches Critical Security Flaws: SQL Injections and RCE Vulnerabilities Fixed
Ivanti’s latest patches tackle critical vulnerabilities in Endpoint Manager, preventing remote code execution via SQL injection flaws. Users should update immediately to keep cyber troublemakers at bay.
Hot Take:
It seems like Ivanti and Netflix’s Genie have been binge-watching “How to Lose a Network in 10 Days.” With a cocktail of SQL injections, file upload flaws, and path traversal vulnerabilities, it’s a wonder our digital lives aren’t one giant 404 error page.
Key Points:
- Ivanti released fixes for multiple critical vulnerabilities in Endpoint Manager (EPM), most of which can allow remote code execution.
- Six out of ten flaws are SQL injection vulnerabilities requiring no authentication.
- Netflix’s Genie software has a critical path traversal vulnerability that allows remote code execution.
- Ivanti also addressed several high-severity issues in other products, including Avalanche and Neurons for ITSM.
- There are no reports of these vulnerabilities being actively exploited in the wild.
Vulnerability Overload
Ivanti is doing the cybersecurity equivalent of spring cleaning. They’ve rolled out fixes for a plethora of critical vulnerabilities in their Endpoint Manager (EPM) software, some of which are so bad they could make a hacker’s heart skip a beat. Six of these flaws are SQL injection vulnerabilities that let an unauthenticated attacker within the same network execute arbitrary code. That’s right, folks, you don’t even need a VIP pass to crash this party.
SQL Injection Extravaganza
Six out of ten of these nasty little bugs, identified from CVE-2024-29822 through CVE-2024-29827, come with a CVSS score of 9.6. That’s basically the cybersecurity equivalent of a raging fire – you can’t ignore it unless you enjoy chaos. The other four bugs (CVE-2024-29828 through CVE-2024-29846) are also SQL injections but require the attacker to be authenticated. So, at least not just any Joe Schmo can waltz in.
Avalanche and Friends
Not to be outdone, Ivanti’s Avalanche version 6.4.3.602 has its issues too. This high-severity flaw (CVE-2024-29848, CVSS score: 7.2) allows an attacker to achieve remote code execution by uploading a specially crafted file. It’s like giving a burglar your house key and then wondering why your TV’s missing.
Patch Parade
But wait, there’s more! Ivanti’s fixes don’t stop there. They’ve also patched five other high-severity vulnerabilities. These include another SQL injection and unrestricted file upload bug in Neurons for ITSM, a CRLF injection flaw in Connect Secure, and privilege escalation issues in the Secure Access client for both Windows and Linux. Basically, if you’re using Ivanti products, now would be a good time to update everything and maybe buy some digital sage to smudge out the bad vibes.
Genie, You’ve Got Some ‘Splaining to Do
Meanwhile, over in Netflix land, their Genie software is having a bit of a meltdown. A critical flaw (CVE-2024-4701, CVSS score: 9.9) in the open-source version could lead to remote code execution. This path traversal vulnerability allows a malicious actor to write an arbitrary file on the file system, which can then be executed. Imagine being able to name your file anything and put it anywhere – it’s like giving a toddler a marker and turning your back. Disaster is imminent.
REST API Gone Wild
The root of Genie’s troubles lies in its REST API, which is designed to accept user-supplied filenames as part of the request. This means a malicious actor can craft a filename to break out of the default attachment storage path and write a file with any name they choose. If you’re running your own Genie instance and relying on the filesystem to store attachments, you might want to start panicking right about now.
Directory Traversal: The Cyber Boogeyman
This flaw is particularly nasty because it can trick a web application into exposing files outside of its document root directory. Think credentials for back-end systems, application code, sensitive operating system files – basically, everything you hold dear in your digital life. And as if that wasn’t enough, the U.S. government recently warned about continued attempts by threat actors to exploit directory traversal defects. It’s like the universe is telling you to double-check those locks.
More Than Just a Genie Problem</h
Already a member? Log in here