CVE-2024-7571
📋 TL;DR
This vulnerability in Ivanti Secure Access Client allows a local authenticated attacker to escalate privileges due to incorrect file permissions. It affects users running Ivanti Secure Access Client versions before 22.7R4. Attackers must already have local access to the system to exploit this flaw.
💻 Affected Systems
- Ivanti Secure Access Client
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local user access could gain SYSTEM/root privileges, potentially taking full control of the endpoint, installing malware, accessing sensitive data, or pivoting to other systems.
Likely Case
A malicious insider or compromised user account could elevate privileges to install persistent backdoors, disable security controls, or access restricted files on the local system.
If Mitigated
With proper access controls and least privilege principles, the impact is limited to the local system only, preventing lateral movement or network-wide compromise.
🎯 Exploit Status
Exploitation requires local authenticated access. The CWE-267 (Privilege Defined With Unsafe Actions) suggests the vulnerability involves improper permission handling that could be relatively straightforward to exploit once identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.7R4
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs
Restart Required: Yes
Instructions:
1. Download Ivanti Secure Access Client version 22.7R4 from the official Ivanti portal. 2. Uninstall the current vulnerable version. 3. Install version 22.7R4. 4. Restart the system to ensure all changes take effect.
🔧 Temporary Workarounds
Restrict Local Access
allLimit local user access to systems running Ivanti Secure Access Client to only trusted, necessary personnel.
Implement Least Privilege
allEnsure all user accounts operate with minimal necessary privileges to reduce impact if exploited.
🧯 If You Can't Patch
- Monitor for unusual privilege escalation attempts using endpoint detection tools
- Isolate affected systems from critical network segments to limit lateral movement potential
🔍 How to Verify
Check if Vulnerable:
Check the Ivanti Secure Access Client version in the application's About section or via system installed programs list.Check Version:
On Windows: Check Add/Remove Programs or run 'wmic product where name="Ivanti Secure Access Client" get version'. On Linux/macOS: Check the application's About dialog or installation directory.Verify Fix Applied:
Verify the installed version is 22.7R4 or later in the application's About section.📡 Detection & Monitoring
Log Indicators:
- Unexpected privilege escalation events
- Unauthorized access to SYSTEM/root level resources
- Changes to Ivanti Secure Access Client files or permissions
Network Indicators:
- Unusual outbound connections from Ivanti client systems post-exploitation
SIEM Query:
EventID=4688 OR ProcessName="*ivanti*" AND (ParentProcess="cmd.exe" OR ParentProcess="powershell.exe") AND NewProcess="*runas*" OR NewProcess="*admin*"