Headline
CVE-2022-35258: Public KB - SA45520 - CVE's (CVE-2022-35254,CVE-2022-35258) may lead to DoS attack
An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust Access in versions prior to 22.3R1.
Problem
Summary:
An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust Gateway in versions prior to 22.3R1.
Mitigation:
None Currently
Solution
Remediation:
For Ivanti Connect Secure (ICS), update the appliances to the applicable dot release.
9.1 Releases:
• 9.1R14.3 (LTS)
• 9.1R15.2
• 9.1R16.2
22.x Releases:
• 22.2R4
For Ivanti Policy Secure (IPS), Ivanti will include the fix in the next GA, 9.1R17 and 22.3R1.
For Ivanti Neurons for Zero-Trust Gateway, Ivanti will include the fix in the next GA, 22.3R1.
Note: The Ivanti Neurons for Secure Access was affected by both vulnerabilities. Ivanti upgraded the hosted controller and completed the upgrade on October 09, 2022. There is no action for customers to take regarding the Ivanti Neurons for Secure Access Controller.
Impact:
Denial of service: normal operation of the Ivanti Connect Secure (ICS) application will resume once the attacker stops sending malicious traffic.
Info:
CVE
CVSS
Affected Profuct
CVE-2022-35254
CVSS (Common Vulnerability Scoring System) Score 6.5
CVSS:3.0/AV: A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
• Ivanti Policy Secure 9.1R16, 22.2R1 and below
• Ivanti Neurons for Zero- Trust Gateway 22.2R1 and below
CVE-2022-35254
CVSS (Common Vulnerability Scoring System) Score 7.5
CVSS:3.0/AV: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
• Ivanti Connect Secure 9.1R16.1, 22.2R1 and below
• Ivanti Neurons for Secure Access prior to 10/09/2022 (patched)
CVE-2022-35258
CVSS (Common Vulnerability Scoring System) Score 6.5
CVSS:3.0/AV: A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
• Ivanti Policy Secure 9.1R16, 22.2R1 and below
• Ivanti Neurons for Zero- Trust Gateway 22.2R1 and below
CVE-2022-35258
CVSS (Common Vulnerability Scoring System) Score 7.5
CVSS:3.0/AV: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
• Ivanti Connect Secure 9.1R16.1, 22.2R1 and below
• Ivanti Neurons for Secure Access prior to 10/09/2022 (patched)