Cybersafe Solutions Security Advisory Bulletin March 29, 2024

In this week's Security Advisory:

• Critical Vulnerabilities Identified in Ivanti's Standalone Sentry and Neurons for ITSM
• Apple Releases Security Patch to Address Major Vulnerability Flaws
• Security Patch Released in Google Chrome Desktop Browser

Critical Vulnerabilities Identified in Ivanti's Standalone Sentry and Neurons for ITSM

A critical vulnerability was discovered in Ivanti's Standalone Sentry (formerly MobileIron Sentry) and Neurons for ITSM.  CVE-2023-41724 presents a flaw within the Standalone Sentry, rated at 9.6 out of 10 on the CVSS scale.  The vulnerability allows attackers to remotely execute code directly onto the operating system.  This effects systems running Ivanti Sentry versions 9.19 and earlier.

CVE-2023-46808 is another critical vulnerability affecting Ivanti Neurons for ITSM, scoring 9.9 out of 10 on the CVSS scale. This flaw can allow threat actors to modify files within the ITSM server.  If exploited, attackers can manipulate crucial directories to further compromise the host with a sequence of malicious commands. Ivanti has announced that a patch has been deployed to all Neuron for ITSM cloud environments; however, on-premise systems would still require an immediate update.

It's worth noting that these vulnerabilities are not related to previously disclosed vulnerabilities in Ivanti's PulseSecure devices.

Affected Versions:

• Ivanti Sentry
  • 9.14.0.0
  • 9.17
  • 9.18
  • 9.19
• Ivanti Neurons for ITSM
  • 2022.2.0
  • 2022.3.0
  • 2023.1.0
  • 2023.2.0
  • 2023.3.0
  • 2023.4.0

More Reading/Information

• https://forums.ivanti.com/s/article/CVE-2023-46808-Authenticated-Remote-File-Write-for-Ivanti-Neurons-for-ITSM?language=en_US 
• https://forums.ivanti.com/s/article/KB-CVE-2023-41724-Remote-Code-Execution-for-Ivanti-Standalone-Sentry?language=en_US 
• https://threatprotect.qualys.com/2024/03/21/ivanti-patches-remote-code-execution-vulnerability-in-standalone-sentry-cve-2023-41724/
• https://socradar.io/critical-rces-ivanti-itsm-telerik/ 

Apple Releases Security Patch to Address Major Vulnerability Flaws

Apple has issued security updates for modules in it's CoreMedia and WebRTC frameworks across portions of its entire product lineup. CoreMedia, an Apple-designed toolkit, streamlines application integration for iOS and MacOS developers. WebRTC is a suite of APIs that allow for real-time web communication and is used by several Apple applications to enable seamless communication functionalities.  Successful exploitation of these vulnerabilities can impact an organization by allowing an attacker to execute remote scripts on any of the affected devices.

This vulnerability is currently being tracked as CVE-2024-1580 with a CVSS score of 5.9 out of a possible 10. Discovery was credited to a security researcher at Google, who published an explanation earlier this month as well as a POC in unison with Apples latest patch.

Affected Versions:

• iOS and iPadOS prior to version 17.4.1 ("iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later")
• iOS and iPadOS prior to version 16.7.7 ("iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation")
• visionOS prior to version 1.1.1 ("Apple Vision Pro")
• macOS Ventura prior to version 13.6.6
• macOS Sonoma prior to version 14.4.1
• Safari prior to version 17.4.1 ("macOS Monterey and macOS Ventura")

More Reading/Information

• https://www.independent.co.uk/tech/ios-17-4-1-apple-update-iphone-download-new-b2517081.html 
• https://www.securityweek.com/apple-patches-code-execution-vulnerability-in-ios-macos/ 
• https://www.forbes.com/sites/kateoflahertyuk/2024/03/23/ios-1741-update-now-warning-issued-to-all-iphone-users/
• https://9to5mac.com/2024/03/25/safari-update-security-patches-macos/ 

Security Patch Released in Google Chrome Desktop Browser

Google released a security update to fix seven (7) vulnerabilities in its Chrome Desktop Browser for Windows, Mac, and Linux with one (1) receiving a severity rating of "Critical" and three (3) receiving a severity of 'High'.

The critical vulnerability, known as CVE-2024-2883, involves a memory allocation issue that occurs when the program attempts to access memory that has been freed, potentially leading to unpredictable behavior or security risks.

More Reading/Information

• https://chromereleases.googleblog.com/
• https://www.tenable.com/plugins/nessus/192578

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner.  It is security best practice to regularly update and/or patch software to the latest versions.  The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only.  This dramatically increases the likelihood that new vulnerabilities have a patch issued for them.  Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.