Skip to content

Critical vTM authentication bypass flaw addressed through patches

  • by
  • 3 min read

Ivanti addressed a critical authentication bypass flaw, tracked as CVE-2024-7593, affecting Virtual Traffic Manager (vTM) appliances with patch 22.2R1 or 22.7R2.

The vulnerability, with a CVSS score of 9.8, could be exploited to create rogue administrator accounts. It results from the faulty implementation of an authentication algorithm that allows unauthenticated attackers to bypass authentication on the Internet-side vTM admin console remotely.

Ivanti vTM is a traffic management software solution developed to secure and optimise application delivery. While the company stated that it is unaware of the flaw being exploited in the wild, it is aware of the publicly available Proof-of-Concept code.

“Successful exploitation could lead to authentication bypass and creation of an administrator user,” said Ivanti. Customers who set up their management interface with a private IP address and restricted access have significantly reduced risk of attacks.

To limit possible exploits, Ivanti recommended updating to the latest patch and restricting administrator access to the management interface. It further provided instructions to counter the issue, accessible over the management interface, given below:

  1. Navigate to System -> Security on the vTM server and click on the drop down for Management IP Address and Admin Server Port on the page.
  2. Click the bindip drop down, select Management Interface IP Address. Users can also change the setting above bindip to limit access only to trusted IP addresses
Taken from Ivanti
The drop down on the vTM server which needs to be changed to limit attacks. | Source: Ivanti

To find whether someone has been compromised, ‘Audit Logs Output’ can be reviewed to check if an unauthenticated admin user has been added. An example of such a log would be as follows:

  1. A ‘userX’, added normally through admin via the GUI:
  • [08/Aug/2024:21:50:12 +0530] USER=admin GROUP=admin AUTH=local IP=XX.XX.XX.XXX  OPERATION=adduser MODUSER=userX MODGROUP=admin

2. A ‘userY’ added through exploit code:

  • [08/Aug/2024:21:52:22 +0530] USER=!!ABSENT!! GROUP=!!ABSENT!!  AUTH=!!ABSENT!!  IP=!!ABSENT!! OPERATION=adduser MODUSER=userY MODGROUP=admin

When the exploit code is used, fields such as USER, GROUP, AUTH, and IP are presented as absent, allowing attackers to be detected. To limit the risk of exploitation, it is advisable to check the logs and update to patch 22.2R1 or 22.7R2 as soon as possible.

In the News: xAI launches Grok-2 and Grok-2 Mini in beta for paid users

Arun Maity

Arun Maity

Arun Maity is a journalist from Kolkata who graduated from the Asian College of Journalism. He has an avid interest in music, videogames and anime. When he's not working, you can find him practicing and recording his drum covers, watching anime or playing games. You can contact him here: arunmaity23@proton.me

>