Login Sign Up

CVE-2024-37398

7.8 HIGH

📋 TL;DR

This vulnerability in Ivanti Secure Access Client allows local authenticated users to escalate their privileges due to insufficient validation. Attackers with standard user access can gain administrative privileges on affected systems. Organizations using Ivanti Secure Access Client versions before 22.7R4 are affected.

💻 Affected Systems

Products:
  • Ivanti Secure Access Client
Versions: All versions before 22.7R4
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires local authenticated access to the system where the client is installed.

📦 What is this software?

Secure Access Client by Ivanti

View all CVEs affecting Secure Access Client →

Secure Access Client by Ivanti

View all CVEs affecting Secure Access Client →

Secure Access Client by Ivanti

View all CVEs affecting Secure Access Client →

Secure Access Client by Ivanti

View all CVEs affecting Secure Access Client →

Secure Access Client by Ivanti

View all CVEs affecting Secure Access Client →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local authenticated attacker gains full administrative control over the system, potentially compromising the entire endpoint and accessing sensitive data.

🟠

Likely Case

Malicious insider or compromised user account escalates to admin privileges, enabling installation of malware, data exfiltration, or lateral movement.

🟢

If Mitigated

With proper privilege separation and monitoring, impact is limited to isolated endpoint compromise that can be quickly detected and contained.

🌐 Internet-Facing: LOW
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local authenticated access but appears to be straightforward based on the vulnerability description.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 22.7R4 and later

Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs

Restart Required: Yes

Instructions:

1. Download Ivanti Secure Access Client version 22.7R4 or later from the Ivanti support portal. 2. Run the installer on affected endpoints. 3. Restart the system to complete the installation.

🔧 Temporary Workarounds

Restrict Local User Access

all

Limit local user access to systems running Ivanti Secure Access Client to reduce attack surface.

Implement Least Privilege

all

Ensure users only have necessary privileges and cannot run arbitrary executables.

🧯 If You Can't Patch

  • Monitor for privilege escalation attempts using endpoint detection tools
  • Implement application whitelisting to prevent unauthorized executables

🔍 How to Verify

Check if Vulnerable:

Check the Ivanti Secure Access Client version in the application's about section or via system information.

Check Version:

On Windows: Check program version in Control Panel > Programs and Features. On Linux/macOS: Check package version via system package manager.

Verify Fix Applied:

Verify the installed version is 22.7R4 or later and check that no privilege escalation attempts are successful.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected privilege escalation events
  • Unauthorized process execution with elevated privileges
  • Security log entries showing user privilege changes

Network Indicators:

  • Unusual outbound connections from Ivanti client processes
  • Traffic patterns indicating data exfiltration

SIEM Query:

source="security_logs" AND (event_id="4672" OR event_id="4688") AND process_name="*ivanti*" AND user_privilege_change="true"

📊 Metadata

CVE ID: CVE-2024-37398
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: November 13, 2024
Last Updated: November 18, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON