Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
The Cybersecurity and Infrastructure Security Agency (CISA) has warned federal agencies that they must remove or update an Ivanti appliance that is vulnerable to remote-code execution.
According to an advisory by Ivanti, it has issued a patch for the company’s Cloud Service Appliance (CSA) version 4.6 after discovering an OS command injection vulnerability that would allow a remote, authenticated attacker to run code on a device utilizing the CSA. The bug’s assigned code is CVE-2024-8190.
The advisory warned that CSA 4.6 has reached end of life and will no longer receive new patches and customers should upgrade to the 5.0 version of CSA. Threat actors have been taking advantage of the exploit since at least September 13, according to Ivanti.
“This is the last fix that Ivanti will backport for this version,” the advisory stated, adding that “CSA 5.0 is the only supported version and does not contain this vulnerability.”
In a bulletin, CISA staff wrote the agency had added CVE-2024-8190 to its Known Exploited Vulnerabilities (KEV) catalog, a federal database that compiles documented security flaws in software products. Executive orders issued under the Biden administration require most executive branch agencies (known as Federal Civilian Executive Branch [FECB] agencies) to remediate flaws on the list.
According to the vulnerability’s catalog entry, CISA has set a deadline of Oct. 4 for agencies to take action.
In May, cybersecurity scanning company Bitsight released research concluding organizations’ median time to patching bugs on the KEV list is 3.5 times as fast as bugs tracked on other lists. However, the research also found that 60% of KEVs are remediated after CISA’s deadlines, though federal agencies tended to perform better.
As Infosecurity Magazine recently reported, CISA is currently working on a plan to align “collective operational defense capabilities” across FECB agencies. Areas where CISA hopes to see improvement include asset and vulnerability management, as well as defensible architecture, software supply-chain security, and incident detection and response.