Reset Search
 

 

Article

SA45520 - CVE's (CVE-2022-35254,CVE-2022-35258) may lead to DoS attack

« Go Back

Information

 
Product Affected
Problem
Summary:
An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust Gateway in versions prior to 22.3R1.

Mitigation:
None Currently
Solution
Remediation:

For Ivanti Connect Secure (ICS), update the appliances to the applicable dot release.
9.1 Releases:
•    9.1R14.3 (LTS)
•    9.1R15.2
•    9.1R16.2
22.x Releases:
•    22.2R4    
For Ivanti Policy Secure (IPS), Ivanti will include the fix in the next GA, 9.1R17 and 22.3R1.
For Ivanti Neurons for Zero-Trust Gateway, Ivanti will include the fix in the next GA, 22.3R1.

Note: The Ivanti Neurons for Secure Access was affected by both vulnerabilities. Ivanti upgraded the hosted controller and completed the upgrade on October 09, 2022. There is no action for customers to take regarding the Ivanti Neurons for Secure Access Controller.

Impact:
Denial of service: normal operation of the Ivanti Connect Secure (ICS) application will resume once the attacker stops sending malicious traffic.


Info:
CVECVSSAffected Profuct
CVE-2022-35254CVSS (Common Vulnerability Scoring System) Score 6.5

CVSS:3.0/AV: A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

 
•    Ivanti Policy Secure 9.1R16, 22.2R1 and below
•    Ivanti Neurons for Zero- Trust Gateway 22.2R1 and below
CVE-2022-35254CVSS (Common Vulnerability Scoring System) Score 7.5

CVSS:3.0/AV: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
•    Ivanti Connect Secure 9.1R16.1, 22.2R1 and below
•    Ivanti Neurons for Secure Access prior to 10/09/2022 (patched)
CVE-2022-35258CVSS (Common Vulnerability Scoring System) Score 6.5

CVSS:3.0/AV: A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
•    Ivanti Policy Secure 9.1R16, 22.2R1 and below
•    Ivanti Neurons for Zero- Trust Gateway 22.2R1 and below
CVE-2022-35258CVSS (Common Vulnerability Scoring System) Score 7.5

CVSS:3.0/AV: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

 
•    Ivanti Connect Secure 9.1R16.1, 22.2R1 and below
•    Ivanti Neurons for Secure Access prior to 10/09/2022 (patched)
Workaround
Implementation
Related Links
CVSS Score
Risk Assessment
Acknowledgements
Alert Type 
Risk Level 
Attachment 1 
Attachment 2 
Legacy ID

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255