CVE 2024 9379: Ivanti Cloud Service Appliance Authenticated SQL Injection

Overview

The SonicWall Capture Labs threat research team became aware of an authenticated SQL injection vulnerability affecting Ivanti Cloud Service Appliances (CSA). Identified asCVE-2024-9379and with a moderate score of 6.5 CVSSv3, the vulnerability is more severe than it initially appears due to reported exploitation attempts. Recently, in its October security update, Ivantiannounced, "We are aware of a limited number of customers running CSA 4.6 patch 518 and prior who have been exploited when CVE-2024-9379, CVE-2024-9380, or CVE-2024-9381 are chained with CVE-2024-8963,". Labeled as a SQL Injection vulnerability and categorized as CWE-89, this vulnerability allows authenticated attackers to run arbitrary SQL statements and compromise Server Database.

No PoC is available yet publicly, but according to CISA, out of three Ivanti CSA vulnerabilities that are exploited in the wild, CVE-2024-9379 is one of them. With Admin privileges, an attacker can compromise the Ivanti Server database by injecting crafted SQL queries into vulnerable versions of Ivanti CSA. Users are strongly encouraged to update CSA version to 5.0.2

Technical Overview

The Ivanti Cloud Services Appliance (CSA) provides secure communication and functionality over the Internet. It acts as a meeting platform where the console and managed devices are connected to the Internet-even if they are behind firewalls or use a proxy to access the Internet.

CVE-2024-9379 is a critical SQL injection vulnerability found in Ivanti's Cloud Services Appliance (CSA). This flaw enables an authenticated attacker to execute arbitrary SQL commands by injecting malicious inputs into specific fields of the administrative web interface. SQL injection occurs when an application inadequately sanitizes user inputs, allowing the attacker to manipulate the queries sent to the database. In this case, the attacker must possess administrative credentials to access the vulnerable fields. This issue can be exploited remotely and could lead to unauthorized access to sensitive data.

Triggering the Vulnerability

Given these prerequisites, the exploitation pathway for this vulnerability is more targeted and requires an attacker with access credentials and specific knowledge of the application structure. Here's how these conditions impact the risk and vulnerability triggering strategies:

• Administrative Credentials: Since the attack requires administrative-level access, it limits the pool of potential attackers to those who can compromise credentials. According to CISA, CVE-2024-8963 may be facilitating credential compromise.
• Identification of Vulnerable Input Fields: The attacker must know the specific vulnerable input field, which typically requires access to the application's source code, configurations, or significant reconnaissance efforts.
• POST Request with Malicious SQL: This step requires attackers to craft a valid POST request that includes necessary access tokens, making exploitation more complex and potentially easier to detect.

Exploitation

Successful exploitation could allow attackers to manipulate or delete critical data and escalate privileges. When combined with other vulnerabilities, the attack could lead to:

• Full Compromise of Database Integrity: Attackers could modify, delete, or exfiltrate database records, affecting data integrity and confidentiality.

• Privilege Escalation: By leveraging this vulnerability, attackers could gain higher-level permissions, granting broader access across the system.

• Remote Code Execution (RCE): Combined with other vulnerabilities, this vulnerability allows the attacker to execute arbitrary commands, compromising the host system and potentially leading to further infiltration.

• Service Disruption: Exploiting specific SQL commands could lead to system crashes or instability, interrupting services and affecting availability.
  

Suppose the username field in the CSA admin panel is used to retrieve data from the database. An attacker could enter a malicious payload as shown in Figure 1, causing the database to pause execution for 10 seconds. Here an attacker is injecting into the username filled which is used in the "WHERE" clause of a "SELECT" statement. Repeated requests using this kind of payload can lead to performance impacts, resulting in service disruption.

Figure 1: Denial of Service using SQL query

Another possibility is an attack could use the ";" to terminate the intended query and insert a new SQL query which would modify the database. As an example, in Figure 2 the injected "UPDATE" command may grant the attacker's user account the admin role, giving unauthorized access to privileged features within Ivanti CSA.

Figure 2: Privilege Escalation using SQL query

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

• IPS:20455 - Ivanti Cloud Service Appliance SQL Injection

Remediation Recommendations

According to the advisory, considering the severe consequences of this vulnerability and the trend of nefarious activists trying to leverage the exploit in the wild, users are strongly encouraged to upgrade their CSA instances to version 5.0.2 to address the vulnerability.

Relevant Links

• NVD

• CISA

• Known-Exploited-Vulnerabilities-Catalog

• Ivanti

• Ivanti-October-update