While reverse-engineering Windows drivers with Ghidra, it is common to encounter a function or data type that is not recognized during disassembly.

This is because Ghidra does not natively include the majority of the definitions for data types and functions used by Windows drivers.

Thankfully, these problems can usually be solved by importing Ghidra data type archive files (.gdt) that contain the relevant definitions.

However, it is not uncommon that the definitions in question aren’t available in a preexisting .gdt file, meaning a new definition must be created manually. Additionally, in some cases, the function or data type may be undocumented by Microsoft, making the process of creating a new definition a more tedious process.

To aid analysts in reverse engineering Windows drivers, Cisco Talos is releasing a GDT file on GitHub that contains various definitions for functions and data types that have been created as needed during our analysis of malicious drivers, as they were not present in the commonly used data type archives.

It is important to note that this archive is not intended to contain all undocumented Windows functions or serve as a replacement for other available data type archives, but as a supplement to them. This is a long-term project that will continue to grow when new definitions are created by our analysts and added to the public release.

The archive can be found here on our GitHub repository.

Cisco Talos Blog – ​Read More

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical advisory report on vulnerabilities disclosed in multiple Ivanti products. These products include Ivanti Endpoint Manager Mobile (EPMM), Ivanti Cloud Service Application (CSA), Ivanti Velocity License Server, Ivanti Connect Secure, Policy Secure, and Ivanti Avalanche.

The official advisory from Ivanti specifically addresses various vulnerabilities affecting the Ivanti Cloud Service Application (CSA). It highlights that a limited number of customers using CSA versions 4.6 patches 518 and earlier have been exploited when certain vulnerabilities—CVE-2024-9379, CVE-2024-9380, or CVE-2024-9381—are chained with CVE-2024-8963.

The recent advisory from Ivanti has indicated a range of vulnerabilities across their product lines, all requiring urgent attention.

Details of Ivanti Vulnerabilities

CVE-2024-7612, classified as high severity with a score of 8.8, affects Ivanti EPMM (Core) versions 12.1.0.3 and earlier. This vulnerability involves incorrect permission assignment, allowing local authenticated attackers to access or modify sensitive configuration files without proper authorization. If exploited, this could lead to severe security breaches.

Another vulnerability, CVE-2024-9379, has been categorized as medium severity with a CVSS score of 6.5. This SQL injection vulnerability affects Ivanti CSA (Cloud Services Appliance) versions 5.0.1 and earlier, allowing remote authenticated attackers with admin privileges to execute arbitrary SQL statements through the admin web console.

Furthermore, CVE-2024-9380, an OS command injection vulnerability also affecting Ivanti CSA, is rated high with a score of 7.2. This flaw enables remote authenticated attackers to gain unauthorized access and execute commands on the operating system via the admin web console.

Additionally, CVE-2024-37404 is a critical vulnerability with a CVSS score of 9.1, impacting both Ivanti Connect Secure and Policy Secure. This flaw allows a remote authenticated attacker to achieve remote code execution due to improper input validation in the admin portal of vulnerable versions.

The vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) catalog signify the need for immediate action. When vulnerabilities appear on this list, it indicates that threat actors could exploit them to target unsuspecting victims. Attackers can utilize these vulnerabilities for data breaches, ransomware attacks, and privilege escalation, posing risks to organizations.

Recommendations and Mitigations

To mitigate these risks effectively, organizations must take proactive measures. Some of the mitigation strategies include: 

Regularly update all software and hardware systems with the latest patches released by the vendor to significantly reduce the risk of exploitation.

Create a routine schedule for patch applications, ensuring that critical patches are prioritized to maintain system security.

Include inventory management, patch assessment, testing, deployment, and verification.

Automate the process wherever possible to enhance efficiency and consistency.

Divide networks into distinct segments to isolate critical assets from less secure areas.

Reduce the attack surface by minimizing potential vulnerabilities. 

Outline procedures for detecting, responding to, and recovering from security incidents.

Regularly test and update the plan to ensure its effectiveness and alignment with current threats. 

Implement comprehensive monitoring to detect and analyze suspicious activities.

Use Security Information and Event Management (SIEM) systems for aggregating and correlating logs for real-time threat detection and response.

Conclusion

By adopting these strategies, organizations can reduce their vulnerability to exploitation and enhance their overall security posture. The proactive measures highlighted in this advisory are essential for protecting sensitive information and maintaining system integrity in an increasingly hostile internet. Immediate action is required to mitigate the risks posed by these vulnerabilities and ensure that organizational assets are safeguarded against potential threats.

The post CISA Issues Urgent Advisory on Critical Vulnerabilities in Ivanti Products appeared first on Cyble.

Blog – Cyble – ​Read More