Focus Friday: TPRM Insights On Cleo File Transfer, BeyondTrust PRA and RS, and Ivanti Cloud Services Application Vulnerabilities
Written by: Ferdi Gül
Welcome to this week’s Focus Friday, where we delve into high-profile vulnerabilities and provide actionable insights from a Third-Party Risk Management (TPRM) perspective. This edition explores critical vulnerabilities in Cleo File Transfer, BeyondTrust PRA RS, and Ivanti Cloud Services Application. These vulnerabilities, including remote code execution and command injection, could potentially compromise sensitive data and disrupt operations across industries. These vulnerabilities demand immediate attention from TPRM professionals to mitigate risks effectively. Let’s explore the risks, the recommended remediations, and how Black Kite’s FocusTags™ streamline the risk management process for these pressing concerns.
CVE-2024-55956 in Cleo File Transfer Software
What are the critical vulnerabilities in Cleo File Transfer software?
In our Focus Friday blog post last week, we discussed Cleo’s critical vulnerability, CVE-2024-50623. This week, we need to focus on CVE-2024-55956, which affects Cleo File Transfer products, and the systemic risks these vulnerabilities pose.
In our December 18 article titled “CL0P’s Exploitation of Cleo Directly Endangers the Supply Chain,” we detailed how the CL0P ransomware group has been exploiting vulnerabilities in Cleo’s software to threaten supply chains.
Two critical vulnerabilities have been identified in Cleo Harmony®, Cleo VLTrader®, and Cleo LexiCom® products:
CVE-2024-55956 is the Remote Code Execution Vulnerability in Cleo Harmony, VLTrader, and LexiCom versions prior to 5.8.0.24, enabling unauthenticated users to execute arbitrary Bash or PowerShell commands by exploiting default settings in the Autorun directory.
Both vulnerabilities have been actively exploited. CVE-2024-50623 was added to CISA’s Known Exploited Vulnerabilities catalog on December 13, 2024. CISA CVE-2024-55956 was added on December 17, 2024. Cleo has released patches to address these issues, and users are strongly advised to update to the latest versions to mitigate potential risks.
Both vulnerabilities have public PoC exploit codes, and exploitation has been observed targeting industries like logistics and shipping. They enable unauthorized file uploads and remote execution of malicious commands.
Why should TPRM professionals care about these vulnerabilities?
These vulnerabilities represent significant risks for organizations relying on Cleo file transfer solutions:
For organizations utilizing Cleo products, timely mitigation is essential to avoid disruption and ensure data security.
What questions should TPRM professionals ask vendors about these vulnerabilities?
Remediation recommendations for vendors subject to this risk
To address these vulnerabilities, vendors should:
How TPRM professionals can leverage Black Kite for this vulnerability
Black Kite published the Cleo File Transfer FocusTag™ on December 13, 2024, providing actionable insights for TPRM professionals. This tag identifies vendors using affected versions and details exposed assets like subdomains and IP addresses.
With Black Kite, TPRM professionals can:
This FocusTag™ ensures efficient vendor management and proactive risk mitigation, empowering TPRM professionals to address critical vulnerabilities effectively.
CVE-2024-11639, CVE-2024-11772, and CVE-2024-11773 in Ivanti Cloud Services Application
The Ivanti Cloud Services Appliance (CSA) is an internet-facing device that facilitates secure communication between remote endpoints and the central Ivanti Endpoint Manager core server. It enables organizations to manage devices outside their corporate network, ensuring that endpoints can receive updates, patches, and policies regardless of their location. The key features of the Ivanti Cloud Services Appliance (CSA) include: Secure Remote Management, Certificate-Based Authentication, Support for Multiple Appliances, and Virtual Appliance Option.
What are the critical vulnerabilities in Ivanti Cloud Services Application?
These vulnerabilities impact versions of Ivanti CSA prior to 5.0.3 and include the following:
CVE-2024-11639 is an authentication bypass vulnerability in the admin web console of Ivanti Cloud Services Appliance (CSA) versions before 5.0.3, allowing remote unauthenticated attackers to gain administrative access.
CVE-2024-11772 is a command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.3, enabling remote authenticated attackers with administrative privileges to execute arbitrary code on the server.
CVE-2024-11773 is an SQL injection vulnerability in the admin web console of Ivanti CSA before version 5.0.3, allowing remote authenticated attackers with administrative privileges to execute arbitrary SQL statements.
All three vulnerabilities are critical, with CVE-2024-11639 having a CVSS score of 10.0, and both CVE-2024-11772 and CVE-2024-11773 each having a CVSS score of 9.1.
These vulnerabilities were first disclosed on December 10, 2024, with no current evidence of exploitation in the wild. However, considering the history of rapid exploitation of Ivanti vulnerabilities, immediate action is advised. They are not yet listed in CISA’s KEV catalog.
Why should TPRM professionals care about these vulnerabilities?
For TPRM professionals, these vulnerabilities in Ivanti CSA could lead to severe business risks:
Organizations leveraging Ivanti CSA for IT management need to ensure their vendors have addressed these risks to prevent potential disruptions and data breaches.
What questions should TPRM professionals ask vendors about these vulnerabilities?
Remediation recommendations for vendors subject to this risk
Vendors using Ivanti CSA should implement the following recommendations:
How TPRM professionals can leverage Black Kite for this vulnerability
Black Kite published the Ivanti Cloud Services Application FocusTag™ on December 13, 2024, providing actionable insights. This tag identifies vendors potentially exposed to these vulnerabilities, detailing the affected assets, including subdomains and IP addresses.
By leveraging these insights, TPRM professionals can:
Black Kite’s FocusTags™ eliminate the guesswork in identifying vulnerable vendors, streamlining the risk assessment process for TPRM professionals.
CVE-2024-12356 in BeyondTrust PRA and RS
What is the BeyondTrust PRA and RS Command Injection Vulnerability?
CVE-2024-12356 is a critical command injection vulnerability affecting BeyondTrust’s Privileged Remote Access (PRA) and Remote Support (RS) solutions. It allows unauthenticated remote attackers to execute operating system commands as the site user by sending malicious client requests. A vulnerability with a CVSS score of 9.8 has been identified, affecting PRA and RS software versions up to and including 24.3.1. Publicly disclosed on December 16, 2024, this vulnerability poses a significant security risk due to the availability of PoC exploit code, making it a high-priority target for attackers despite no reports of active exploitation thus far. The vulnerability’s critical nature has also led to its inclusion in the CISA Known Exploited Vulnerabilities (KEV) Catalog on December 19, 2024. With an EPSS score of 0.05%, organizations using the affected versions are urged to address this issue promptly to mitigate potential risks.
The vulnerability stems from improper neutralization of special elements used in commands, making it exploitable via a low-complexity attack. BeyondTrust has released patches for all supported versions (22.1.x and above).
Why should TPRM professionals care about this vulnerability?
BeyondTrust’s PRA and RS solutions are widely used for privileged remote access and IT support, making them an attractive target for attackers. Exploitation of this vulnerability could:
Organizations using BeyondTrust products need to address this vulnerability urgently to protect against potential exploitation.
What questions should TPRM professionals ask vendors about this vulnerability?
Remediation recommendations for vendors subject to this risk
To mitigate the risks associated with CVE-2024-12356, vendors should:
How TPRM professionals can leverage Black Kite for this vulnerability
Black Kite released the BeyondTrust PRA RS FocusTag™ on December 19, 2024, offering detailed insights into vendors potentially impacted by CVE-2024-12356. The tag provides:
TPRM professionals can use these insights to:
ENHANCING TPRM STRATEGIES WITH BLACK KITE’S FocusTags™
In the face of increasingly sophisticated cyber threats, Black Kite’s FocusTags™ stand as a beacon for proactive Third-Party Risk Management (TPRM). This week’s vulnerabilities—spanning critical systems like Cleo File Transfer, BeyondTrust PRA RS, and Ivanti Cloud Services Application—highlight the pressing need for targeted, efficient, and informed risk management strategies. Here’s how FocusTags™ enhance TPRM practices:
By transforming complex cybersecurity data into actionable insights, Black Kite’s FocusTags™ revolutionize TPRM, ensuring businesses can protect their supply chains and partners against even the most sophisticated cyber threats. As vulnerabilities continue to emerge, these tags provide the clarity and precision needed for proactive and effective risk management.
About Focus Friday
Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.
FocusTagsTM in the Last 30 Days:
Great dad | Inspired Risk Management and Security | Cybersecurity | AI Governance | Data Science & Analytics My posts and comments are my personal views and perspectives but not those of my employer
2dBlack Kite thanks for sharing the TLDR on these key vulnerabilities and how to drive actions and focus on third parties: