CVE-2024-9842
📋 TL;DR
This vulnerability in Ivanti Secure Access Client allows local authenticated attackers to create arbitrary folders due to incorrect permissions. This could lead to privilege escalation or other security issues. Affected users are those running Ivanti Secure Access Client versions before 22.7R4.
💻 Affected Systems
- Ivanti Secure Access Client
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could create folders in system directories, potentially leading to privilege escalation, persistence mechanisms, or disruption of system operations.
Likely Case
Local authenticated users could create folders in unintended locations, potentially enabling further attacks or causing system instability.
If Mitigated
With proper access controls and monitoring, impact is limited to folder creation without escalation to full system compromise.
🎯 Exploit Status
Exploitation requires local authenticated access and knowledge of the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.7R4 and later
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs
Restart Required: Yes
Instructions:
1. Download Ivanti Secure Access Client version 22.7R4 or later from the Ivanti support portal. 2. Uninstall the current vulnerable version. 3. Install the patched version. 4. Restart the system to ensure changes take effect.
🔧 Temporary Workarounds
Restrict Local Access
allLimit local authenticated access to systems running Ivanti Secure Access Client to trusted users only.
Monitor Folder Creation
allImplement file system monitoring to detect unauthorized folder creation in system directories.
🧯 If You Can't Patch
- Implement strict access controls to limit which users can log into systems running the vulnerable client
- Deploy endpoint detection and response (EDR) solutions to monitor for suspicious folder creation activities
🔍 How to Verify
Check if Vulnerable:
Check the Ivanti Secure Access Client version in the application's about section or via command line: On Windows: Check program version in Control Panel > Programs and Features. On Linux/macOS: Check version via package manager or application interface.Check Version:
Windows: wmic product where name='Ivanti Secure Access Client' get version. Linux/macOS: Check application version in GUI or via installed package version.Verify Fix Applied:
Verify the installed version is 22.7R4 or later through the application interface or system package manager.📡 Detection & Monitoring
Log Indicators:
- Unexpected folder creation events in system directories
- Security logs showing local user authentication followed by file system modifications
Network Indicators:
- No direct network indicators as this is a local vulnerability
SIEM Query:
EventID=4663 OR EventID=4656 (Windows file system audit events) showing folder creation in system directories by Ivanti Secure Access Client users