At Ivanti, we are committed to delivering innovative, high quality and secure solutions for our customers. We continue to invest significant resources to ensure that all our solutions continue to meet our own high standards. In the best interests of our customers, we are always investigating, assessing, monitoring, and validating the security posture of our solutions. We collaborate with the broader security ecosystem to share intelligence and appreciate when we are made aware of issues via responsible disclosure from reputable sources. 

As part of our ongoing strengthening of the security of our products we have discovered and fixed several security issues in Ivanti Secure Access (ISAC) Client, formerly known as Pulse Secure Desktop Client. We are reporting these issues as CVE-2023-41718, CVE-2023-35080, CVE-2023-38543, CVE-2023-38043, and CVE-2023-38544.  

The following vulnerabilities impact all Windows versions of ISAC below 22.6R1.1: 

  • CVE-2023-35080, CVE-2023-38543 CVE-2023-38043. 

 The following vulnerabilities impact all Windows versions of ISAC below 22.6R1: 

  • CVE-2023-41718 

The Following vulnerabilities impact all Linux versions of ISAC below 22.4R1: 

  • CVE-2023-38544 

These vulnerabilities could allow a threat actor to: 

  • Elevate their privileges and /or perform a denial-of-service attack on the user machine via the ISAC Windows client (35080, 38543, 38043).   
  • Elevate their privileges via the ISAC Windows client (41718). 
  • Compromise the integrity of the security of the network on the local machine via the ISAC Linux client (38544). 

We encourage customers to apply the available remediation steps. More information on the CVEs and detailed instructions on how to remediate the vulnerabilities can be found in this Security Advisory. We have no evidence of any customers having been impacted by any of the vulnerabilities at this time. 

Our Support team is always here to help our customers and partners should they have any questions. Cases can be logged via the Success portal (login credentials required). 

Ivanti would like to thank Alex Oudenaarden and Tijme Gommers of Northwave Cybersecurity for their assistance and cooperation in the discovery and responsible disclosure of CVE-2023-35080, CVE-2023-38543 and CVE-2023-38043, and Fabian Müller of FIZ Karlsruhe for their assistance and cooperation in the discovery and responsible disclosure of CVE-2023-38544. 

Want to stay up to date on Ivanti Security Advisories? Paste https://www.ivanti.com/blog/topics/security-advisory/rss into your preferred RSS reader / functionality in your email program.