Critical Ivanti Endpoint Manager flaw exploited (CVE-2024-29824)
CVE-2024-29824, an unauthenticated SQL Injection vulnerability in Ivanti Endpoint Manager (EPM) appliances, is being exploited by attackers, the Cybersecurity and Infrastructure Security Agency has confirmed by adding the bug to its Known Exploited Vulnerabilities catalog.
Ivanti did the same by updating the relevant security advisory to say that they are aware of a limited number of customers who have been exploited. Further details about the attacks are unavailable at this time.
About CVE-2024-29824
CVE-2024-29824, reported by an anonymous researcher via the Zero Day Initiative program, is one of the ten SQL injection vulnerabilities Ivanti has released a fix for in May 2024.
They all affect the core server of Ivanti EPM 2022 SU5 and prior versions, can lead to code execution in the context of the service account, and all have been fixed through a security hot patch.
ZDI’s advisory described CVE-2024-29824 as a flaw that exists within the implementation of the RecordGoodApp method and is due to the lack of proper validation of a user-supplied string before using it to construct SQL queries.
That was enough to point Horizon3.ai researchers in the right direction, and they published technical details about the vulnerability and a PoC exploit in June 2024.
What to do?
The addition of CVE-2024-29824 to the KEV catalog means that all US federal civilian executive branch agencies must remediate it by October 23, 2024.
The patch provided by Ivanti is implemented by replacing five DLL files from the core server with five others (with the same name) contained in the patch. The process has to be concluded by either restarting the core server or closing the EPM console and running IISRESET (a command for restarting IIS services), so that the new DLL files are loaded.
At an (unclear) date that came after the intial release of its advisory, Ivanti has made changes to the patch and urged users to update some of the files or implement the new patch if they haven’t previously done so. So check the advisory and do what needs to be done.