Multiple Attacks Force CISA to Order US Agencies to Upgrade or Remove End-of-Life Ivanti Appliance

On Tuesday Ivanti issued a "high severity vulnerability" announcement for version 4.6 of its Cloud Service Appliance (or CSA). "Successful exploitation could lead to unauthorized access to the device running the CSA." And Friday that announcement got an update: Ivanti "has confirmed exploitation of this vulnerability in the wild."

While Ivanti released a security update, they warned that "with the end-of-life status this is the last fix that Ivanti will backport for this version. Customers must upgrade to Ivanti CSA 5.0 for continued support."

This prompted a response from CISA (the Cybersecurity and Infrastructure Security Agency, part of the U.S. Department of Homeland Security). The noted that Ivanti is urging customers to upgrade to version 5.0, as "Ivanti no longer supports CSA 4.6 (end-of-life)." But in addition, CISA "ordered all federal civilian agencies to remove CSA 4.6. from service or upgrade to the 5.0. by October 4," reports the Record: Ivanti said users will know they are impacted by exploitation of the bug by looking to see if there are modified or newly added administrative users. They also urged customers to check security alerts if they have certain security tools involved.

The issue arose one day after another Ivanti bug caused alarm among defenders. The company pledged a security overhaul in April after a cascade of headline-grabbing nation-state attacks broke through the systems of government agencies in the U.S. and Europe using vulnerabilities in Ivanti products.

Don't use acronyms in headlines

[Anonymous Coward]

or anywhere they have not been previously introduced. This is basic writing 101.

Re:

[geekmux]

or anywhere they have not been previously introduced. This is basic writing 101.

Fair point, but knowing your audience is relevant as well. CISA ain’t exactly new or unheard of in tech circles.

Re:

[drinkypoo]

Maybe in one country's tech circles....

Yes, the country being discussed. If you're not familiar with its tech laws, you probably don't have too much useful to say about its tech issues either.

Re:

[Chris Mattern]

"Fair point, but knowing your audience is relevant as well. CISA ainâ(TM)t exactly new or unheard of in tech circles."

Really? I have no idea what it is, and I manage computers for a living.

"

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[geekmux]

"Fair point, but knowing your audience is relevant as well. CISA ainâ(TM)t exactly new or unheard of in tech circles."

Really? I have no idea what it is, and I manage computers for a living.

Then perhaps you could manage to RTFS (Read The Fucking Summary) then. Because it was spelled out for you a few inches below the headline. Even provided the necessary clarity between CSA and CISA.

Sure would be nice if people had a valid complaint.

Re:

[AvitarX]

Great so now summaries about RFCs, AMD, and TCP/IP are all going to need to have acronyms defined?

I'd rather not.

Re:

[Vlad_the_Inhaler]

Great so now summaries about RFCs, AMD, and TCP/IP are all going to need to have acronyms defined?

Garbage, those are universal.
CISA is largely unknown to people outside the US.
I would not have bothered complaining because the acronym is explained in the text, but it is not something I was familiar with.

A pretty good racket

[arglebargle_xiv]

Sell insecure buggy crap to governments, then declare it EOL when yet another vuln is discovered so they're forced to buy a new lot of insecure buggy crap. Repeat until shareholder value is maximised.

Re:

[drinkypoo]

That's exactly why government shouldn't be using any such thing at all.

They should only be using FOSS on commodity hardware, which absolutely can do the same job.

Too bad crony capitalism rules the day and US government at all levels is addicted to Microsoft and IBM as a result.

Re:

[gweihir]

Indeed. The current practices are pure insanity.

Re:

[echo123]

That's exactly why government shouldn't be using any such thing at all.

They should only be using FOSS on commodity hardware, which absolutely can do the same job.

Too bad crony capitalism rules the day and US government at all levels is addicted to Microsoft and IBM as a result.

FWIW, most government websites in the world are developed with free, open-source Drupal on Linux servers. Here's a heavy duty list [drupal.org] of them.

The Obama administration fully embraced open-source solutions in a major way, right from the beginning. In fact, in addition to the Housing and Banking crises, the Obama administration had to clean up the previous administration's Microsoft Exchange document retention problems [arstechnica.com], (arguably in-place by design).

That said, proprietary software such as all that Microsoft junk

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[gweihir]

Indeed. This crap has to stop. We need liability and reasonable mandatory minimum supported lifetime for software. We really cannot afford to continue to half-ass engineering in something this critical for a functioning society.

"pledged a security overhaul"... suuure....

[gweihir]

Same as Microsoft, Clownstroke, and others: Wait until things have quieted down, then quietly continue to ignore IT security and good engineering practices. Much more profitable, at least in the short run,

Ivanti is the gift that keeps on giving

[EvilSS]

I used to work pretty closely with one of the companies they absorbed. They had great support, great technical resources who knew the product inside-out, and a good development cycle. After they were pulled into Invanti that all went downhill. I went from knowing quite a few people from the CEO on down, to having no contacts. They all left or were let go. Development slowed to a crawl and support went to crap. I went from highly recommending the product to actively discouraging it. My understanding that most of their product acquisitions went that way.

Junk

[Bahbus]

Ivanti is a junk company that peddles junk software. Then again, I expect nothing less from a company headquartered in Utah.