Ivanti and Veeam bugs fall under attack
CISA has sounded the alarm over a pair of actively targeted vulnerabilities in Ivanti and Veeam software
The US Cybersecurity and Infrastructure Security Agency (CISA) is warning of a pair of actively targeted flaws to its security catalogue.
The US government's cybersecurity watchdog said that CVE-2023-38035 and CVE-2023-2752 were being actively exploited.
CVE-2023-38035 describes an authentication bypass vulnerability in MobileIron Security that in versions prior to 9.18.0 causes the software to fail to properly perform security checks. As a result attackers are able to access APIs and issue commands that should normally be limited to administrator accounts.
"When access control checks are incorrectly applied, users are able to access data or perform actions that they should not be allowed to perform," Ivanti said of the vulnerability.
"This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution."
Ivanti notes that the risk of attack can be mitigated by limiting access from portal 8433 and says that if the port, commonly used for MICS (MobileIron configuration services) access is not enabled there is no risk of attack.
"While the issue has a high CVSS score, there is a low risk of exploitation for customers who do not expose port 8443 to the internet," Ivanti said.
Meanwhile, administrators operating Veeam Backup & Replication are best served to upgrade their software in order to mitigate a security bypass vulnerability CVE-2023-27532.
The problem, it is said stems from a flaw that allows an attacker to bypass authentication checks.
"[the vulnerability] allows encrypted credentials stored in the configuration database to be obtained. This may lead to gaining access to the backup infrastructure hosts."
Upgrading Veeam to version 12 (build 12.0.0.1420 P20230223) or 11a (build 11.0.1.1261 P20230227) will patch the vulnerability.
CISA did not provide details on the nature of the attacks but said that federal agencies would be well advised to test and install both updates as soon as possible.
While CISA does not have authority beyond US government agencies, the administration carries immense weight both with the Department of Homeland Security and with the private industries who worth with the DHS and CISA on US government projects.
As a result, private companies also tend to follow CISA directives as a best practice.
"Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of catalogue vulnerabilities as part of their vulnerability management practice," CISA says.