CISA wants everyone—and government agencies in particular—to remove or upgrade an Ivanti Cloud Service Appliance (CSA) that is no longer being supported.
Welcome to the security nightmare that is the Internet of Things.
EDITED TO ADD (10/12): The Cloud Service Appliance isn’t an actual appliance, but software you install on a computer. So it’s not IoT.
Pete Forman • September 16, 2024 1:43 PM
CSA 5.0 only became available a couple of weeks before 4.6 went EOL.
4.6 was based on CentOS 7. I guess Ivanti missed or ignored the CentOS EOL.
Neither inspires confidence in Ivanti.
Untitled • September 16, 2024 4:13 PM
Welcome to the security nightmare that is the Internet of Things.
What Things? You seem to have been misled by the word “appliance”. As the story makes clear, it’s not a Thing, it’s a piece of software, CSA 4.6, which is end-of-life and has a vulnerability: customers should have upgraded to CSA 5.0. The old story of not bothering to keep your software up-to-date.
Clive Robinson • September 17, 2024 2:15 AM
@ ALL,
Three questions to think about with IoT, domestic electronics, white goods, cars and much else,
1, If you buy a physical item / box and plug it in / use it, is it an appliance, is it software, or is it in some kind of curious superposition of both?
2, If you have purchased and payed for a physical item from a single source, can the supplier prevent you from using it at whim?
3, If you have purchased and payed for a physical item can you at will change the software on it?
When you look into these questions in many jurisdictions you will find that physical devices with software are not something you should have anything to do with, because they have so many Catch-22 issues you are actually purchasing legal liability for yourself…
Now consider that the software may not work consistently for you as a user. That is it either does not behave in a reasonably deterministic way, or it does not “work the same way twice” with the same user input.
Who carries the liability on such things?
After all if you turn the wheel clockwise and the vehicle goes to the left not the right apparently randomly from time to time who is to blame for any consequences of you turning the wheel?
Back in times past with “driven animals” this sort of thing happened quite frequently, but the speeds involved usually made things a nuisance rather than a danger.
The usual way to solve such things in the past was to look for the “controling mind” and “entity agency” then apply the curious “reasonableness test”.
Software and the deterministic physical devices it can make behave apparently inconsistently challenges the meanings of “agency” and “reasonable”.
Take AI LLM’s with ML, it has been claimed that we do not have the ability to “open the box and predictably discern the behaviours in advance” even though the actual system by which they function is claimed to be provably deterministic at all levels.
In the sense of the alleged Chinese Curse, we now all “live in interesting times” and the guard labour and legal professions are going to get things wrong. In part because they have lost the way of thinking correctly, and similarly in part because legislators are at best fallible and care not to reason things through in lets be polite and call it their haste to be seen to be authoritative.
ResearcherZero • September 26, 2024 4:36 AM
@Untitled
A lot of people do not know how to update their things. They do not know that a router, a fridge, a washing machine, televisions and security cameras require updating, or how to.
Not all of these devices perform automatic updates. Some can be easily exploited via WIFI.
Others can be easily exploited remotely as they have critical vulnerabilities in firmware.
Many IoT devices run EoL operating systems and additional third party software.
ResearcherZero • September 26, 2024 4:46 AM
Manufacturers often release updates for exploits after customer systems are penetrated.
OS command injection vulnerability (CVE-2024-8190)
A cyber threat actor could exploit this vulnerability to take control of an affected system. …provides “access to the device running the CSA.”
And indeed customers had been penetrated (their networks anyway).
‘https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-Service-Appliance-CSA-CVE-2024-8190
ResearcherZero • September 27, 2024 1:47 AM
@Untitled
‘
Ivanti make management appliances. Gateways, VPNs and ‘traffic management’ devices.
Such devices include firewalls and endpoint protection, also traffic flow management.
Manufacturers of Edge Devices and Management Solutions are often targeted by 0/N-days.
Updating software in enterprise environments is more complicated than for small networks.
There is a process that requires approvals to make changes for always-online systems.
Steve • October 15, 2024 11:04 AM
@Clive Robinson: It reminds me of the issues I have with my DTV set-top boxes which now have DVD-recording functions. A recent firmware update removed the ability to sort the listing order of recorded items within a category. The streaming options have been down-featured too, and try to work automatically, including a per-program price that so-far has recognized there is a spending limit of 0 set. Current behavior has these streams downloaded automatically, and then only charging if the recording is played-back. Except in bad weather, when the satellite feed switches to streaming mode because of rain, it says it is setting to legacy resolution and that recording functions won’t be available. It does this also for when an entire series has been set to record: it will switch because of rain and stop recording. Not helpful. I may as well go back to VHS tape in a separate box.
Clive Robinson • October 17, 2024 12:49 PM
@ Steve,
Re : Life lesson No1.
With regards,
“Not helpful. I may as well go back to VHS tape in a separate box.”
And there is the lesson,
“If someone else has control, you are not in charge of the situation or your life.”
That does not mean you should not let others ask you to do things or that you should not do them. Two things though should be clear,
1, You should know when to not follow orders and if necessary walk away (this is actually a legal requirement).
2, There should be equitable return for your time and effort (you are not a slave or worse serf, so you are entitled to fair recompense for your labour be it physical, mental, or acquired skill).
It sounds like “your system” is “not yours” to do with as you wish…
There are reasons why nearly all the tech in my house is “last century” and I don’t do streaming or other “pay endlessly” media.
When it comes to “equitable” this is nothing like fair, so they can –how do I put it politely– go whistle somewhere else, lest I decide I’m entitled at their expense.
Back last century what was BSB later “Sky” had this notion that they should control your viewing to their considerable profit. For some considerable period their sales reps would knock on my door even though they had been inforned they were trespassing and should cease and desist. Eventually via legal means they got the message.
Somebody who is now nolonger with us, decided to go a different route and spent considerable effort in making the Sky System “hacked” and sold systems to others so they could “Free-View” apparently it was lucrative business for a while, but they had the good sense to get out ahead of the crack down.
Which tells you there is another life lesson that others should be aware of,
“Any system man designs that follows non unique or deterministic rules, can be changed by other men to follow different rules.”
An example of this can be seen back in the early days of GPS systems. The US added “synthetic noise” called “Selective Availability”(SA) to the system to make it less accurate. Other men thought up three basic ways around this,
The first was to determine how the SA synthetic noise was generated and come up with a negative of it. This was quite difficult so was almost a “forever project”.
The second was actually much much easier. The failing of the SA synthetic noise was that it had to over time averaged out. So if your receiver remained in a known location for a time the average of the GPS signal gained accuracy. But… This did not mean the GPS receiver had to stay in a fixed position. If you could accurately determine how far your receiver had moved via say “inertial navigation” then you could use it in the average out process (a number of the modern MEMS devices used in mobile phones are of sufficient accuracy to do this).
The third method was in effect based on the second but was a lot lot less expensive for GPS receivers. What they did was place a GPS receiver at a known fixed location. Then subtracted that known location from the GPS receiver indicated location that had SA on it. They then obtained a “difference signal” they transmitted on a general broadcast. It did not take long for GPS receivers to be augmented to use the differential signal to remove the SA signal.
So the US in effect gave up and after turning off the SA they did not turn it on again. However the third method still remains in some places because it actually gives a greater accuracy than just the received GPS signal.
At one time I used to receive several differential signals and use them to see certain ionospheric results (GPS even with single point differential is only “so good”).
Knowing this should indicate that such annoying technical systems that are “works of venal men” and far from unique can be undone by other technical systems… However such venal men believe they are “entitled by right” so try to make the technical systems to complicated, continuously changed, or if that fails they send in “rented goons” who act under “purchased legislation”.
My view is what they are offering is “not worth the price or effort” so I don’t play either way.
Funny thing though, in the UK you have to pay a “licence fee” that is just another unwarranted tax at around 16GBP a month. Add to that the 30GBP a month of the broadcaster service like Sky and that’s quite a bit of money per month. However at least on cinema chain does a visit as often as you want monthly ticket for less than 20GBP…
If I was inclined to “pay to view” (or view at all which I’m not). Then the cinema has “the latest” for a lot less and as winter is arriving and heating bills are high, spending the evening in a warm cinema has certain attractions which is maybe why the “Old Age Pensioners”(OAPs) concessions appear so well taken up…
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
wiredog • September 16, 2024 11:23 AM
Not so much an IoT nightmare as a bad sysadmin nightmare. It’s an old product that’s end of life, and the company that supports it is still in business, just not supporting anything older than the current version. It was not a surprise that it was end of life, either. The affected sysadmins should know what hardware is on their networks, and what software is running on that hardware.
Not that they do. Here at $Corp I was on a project a couple of years ago to update some things related to the timecard system and a couple sysadmins were surprised to hear from us that the software was running on their servers, and had been for years.