Summary

Acunetix 360 identified a Out of Band Command Injection by capturing a DNS A request, which occurs when input data is interpreted as an operating system command.

This is a highly critical issue and should be addressed as soon as possible.

Impact

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x)  allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Remediation

Upgrade to the latest version of Ivanti Connect Secure / Policy Secure

Severity

Critical

Classification

PCI v3.2-6.5.1 CAPEC-88 CWE-78 HIPAA-164.306(a) 164.308(a) ISO27001-A.14.2.5 WASC-31 OWASP 2013-A1 OWASP 2017-A1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H