Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Cloud Security

Multiple Attacks Force CISA to Order US Agencies to Upgrade or Remove End-of-Life Ivanti Appliance (therecord.media) 20

Posted by EditorDavid from the high-severity-vulnerabilities dept.
On Tuesday Ivanti issued a "high severity vulnerability" announcement for version 4.6 of its Cloud Service Appliance (or CSA). "Successful exploitation could lead to unauthorized access to the device running the CSA." And Friday that announcement got an update: Ivanti "has confirmed exploitation of this vulnerability in the wild."

While Ivanti released a security update, they warned that "with the end-of-life status this is the last fix that Ivanti will backport for this version. Customers must upgrade to Ivanti CSA 5.0 for continued support."

This prompted a response from CISA (the Cybersecurity and Infrastructure Security Agency, part of the U.S. Department of Homeland Security). The noted that Ivanti is urging customers to upgrade to version 5.0, as "Ivanti no longer supports CSA 4.6 (end-of-life)." But in addition, CISA "ordered all federal civilian agencies to remove CSA 4.6. from service or upgrade to the 5.0. by October 4," reports the Record: Ivanti said users will know they are impacted by exploitation of the bug by looking to see if there are modified or newly added administrative users. They also urged customers to check security alerts if they have certain security tools involved.

The issue arose one day after another Ivanti bug caused alarm among defenders. The company pledged a security overhaul in April after a cascade of headline-grabbing nation-state attacks broke through the systems of government agencies in the U.S. and Europe using vulnerabilities in Ivanti products.

Multiple Attacks Force CISA to Order US Agencies to Upgrade or Remove End-of-Life Ivanti Appliance More | Reply

Multiple Attacks Force CISA to Order US Agencies to Upgrade or Remove End-of-Life Ivanti Appliance

Comments Filter:

  • Don't use acronyms in headlines (Score:1, Insightful)

    by Anonymous Coward
    or anywhere they have not been previously introduced. This is basic writing 101.

    • or anywhere they have not been previously introduced. This is basic writing 101.

      Fair point, but knowing your audience is relevant as well. CISA ain’t exactly new or unheard of in tech circles.

      • "Fair point, but knowing your audience is relevant as well. CISA ainâ(TM)t exactly new or unheard of in tech circles."

        Really? I have no idea what it is, and I manage computers for a living.

        "

        • So you're a PHB. Go back to playing with your pencils, leave actually doing things with computers and /. to real nerds.

        • "Fair point, but knowing your audience is relevant as well. CISA ainâ(TM)t exactly new or unheard of in tech circles."

          Really? I have no idea what it is, and I manage computers for a living.

          Then perhaps you could manage to RTFS (Read The Fucking Summary) then. Because it was spelled out for you a few inches below the headline. Even provided the necessary clarity between CSA and CISA.

          Sure would be nice if people had a valid complaint.

    • Re: (Score:2)

      by AvitarX ( 172628 )

      Great so now summaries about RFCs, AMD, and TCP/IP are all going to need to have acronyms defined?

      I'd rather not.

      • Great so now summaries about RFCs, AMD, and TCP/IP are all going to need to have acronyms defined?

        Garbage, those are universal.
        CISA is largely unknown to people outside the US.
        I would not have bothered complaining because the acronym is explained in the text, but it is not something I was familiar with.

  • A pretty good racket (Score:3)

    by arglebargle_xiv ( 2212710 ) on Monday September 16, 2024 @08:18AM (#64789943)
    Sell insecure buggy crap to governments, then declare it EOL when yet another vuln is discovered so they're forced to buy a new lot of insecure buggy crap. Repeat until shareholder value is maximised.

    • That's exactly why government shouldn't be using any such thing at all.

      They should only be using FOSS on commodity hardware, which absolutely can do the same job.

      Too bad crony capitalism rules the day and US government at all levels is addicted to Microsoft and IBM as a result.

    • Re: (Score:2)

      by gweihir ( 88907 )

      Indeed. This crap has to stop. We need liability and reasonable mandatory minimum supported lifetime for software. We really cannot afford to continue to half-ass engineering in something this critical for a functioning society.

  • Same as Microsoft, Clownstroke, and others: Wait until things have quieted down, then quietly continue to ignore IT security and good engineering practices. Much more profitable, at least in the short run,

  • Ivanti is the gift that keeps on giving (Score:4, Interesting)

    by EvilSS ( 557649 ) on Monday September 16, 2024 @09:52AM (#64790107)
    I used to work pretty closely with one of the companies they absorbed. They had great support, great technical resources who knew the product inside-out, and a good development cycle. After they were pulled into Invanti that all went downhill. I went from knowing quite a few people from the CEO on down, to having no contacts. They all left or were let go. Development slowed to a crawl and support went to crap. I went from highly recommending the product to actively discouraging it. My understanding that most of their product acquisitions went that way.

  • Ivanti is a junk company that peddles junk software. Then again, I expect nothing less from a company headquartered in Utah.

Slashdot Top Deals

The next person to mention spaghetti stacks to me is going to have his head knocked off. -- Bill Conrad

Close