Ivanti warned of a critical authentication bypass flaw in its Virtual Traffic Manager (vTM) appliances that can allow attackers to create rogue administrator accounts.
Ivanti addressed a critical authentication bypass vulnerability, tracked as CVE-2024-7593 (CVSS score of 9.8), impacting Virtual Traffic Manager (vTM) appliances that can allow attackers to create rogue administrator accounts.
Ivanti vTM (Virtual Traffic Manager) is a software-based traffic management solution designed to optimize and secure application delivery.
“Successful exploitation could lead to authentication bypass and creation of an administrator user.” reads the advisory published by the software firm. “Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel. “
The vulnerability is due to an incorrect implementation of an authentication algorithm that allows remote unauthenticated attackers to bypass authentication on Internet-facing vTM admin console.
The company addressed the flaw with the release of patch 22.2R1 (released 26 March 2024) or 22.7R2 (released 20 May 2024). The company explained that customers who have pointed their management interface to a private IP and restricted access can address the issue at their earliest convenience.
Ivanti states that it is unaware of attacks exploiting this flaw in the wild, however it is aware of the public availability of Proof of Concept exploit code.
“We are not aware of any customers being exploited by this vulnerability at the time of disclosure. However, a Proof of Concept is publicly available, and we urge customers to upgrade to the latest patched version ” continues the advisory.
To limit the exploitability of this vulnerability, Ivanti recommends to limit Admin Access to the Management Interface internal to the network through the private / corporate network.
Below are instructions provided by the company:
1. On the VTM server navigate to System > Security then click the drop down for the Management IP Address and Admin Server Port section of the page
2. In the bindip drop down select the Management Interface IP Address. As another option, customers can also utilize the setting directly above the “bindip” setting to restrict access to trusted IP addresses, further restricting who can access the interface.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Ivanti Virtual Traffic Manager (vTM))