Ivanti fixes critical vulnerabilities in Endpoint Management (CVE-2024-29847)
Ivanti has fixed a slew of vulnerabilities affecting its Endpoint Manager solution, including a maximum severity one (CVE-2024-29847) that may allow unauthenticated attackers to remotely execute code in the context of the vulnerable system, and use it as a beachhead for burrowing into corporate networks and devices.
The fixes
CVE-2024-29847 affects the agent portal of Ivanti Endpoint Manager versions 2024 (with the September update) and 2022 SU5 and earlier, and stems from the application’s improper deserialization of untrusted data.
This weakness can be abused by attackers to execute arbitrary code, without having to authenticate to the system beforehand.
By releasing Ivanti Endpoint Manager v2022 SU6 and a “security hot patch” for EPM v2024, the company has not only fixed CVE-2024-29847 but also 15 additional vulnerabilities, including:
- Nine critical SQL injection flaws that can exploited remotely to execute code (but require the attacker to be authenticated with admin privileges), and
- An external XML Entity (XXE) vulnerability that allows a remote unauthenticated attacker to leak API secrets.
“We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure. These vulnerabilities were disclosed through our responsible disclosure program,” the company confirmed.
There are no workarounds or mitigations available, making it imperative for admins to upgrade their installations quickly. In EPM 2024, the security holes have been plugged with a patch, but they will be resolved in the upcoming version 2024 SU1 of Endpoint Manager.
Simultaneously, the company has also released:
- A security update for Ivanti Cloud Service Appliance (CSA) 4.6 to patch an authenticated OS command injection vulnerability (CVE-2024-8190) leading to RCE
- Ivanti Workspace Control v10.18.99.0, which features a new architecture that addresses six vulnerabilities that could be exploited for privilege escalation and lateral movement
None of these bugs are under active exploitation.
Ivanti’s increased efforts to improve product security
It’s a testament to Ivanti taking security more seriously that the patch for CVE-2024-8190 has been made available (even though Ivanti CSA 4.6 should have stopped receiving security fixes in August 2024), and that the company has re-architected a solution to fix reported vulnerabilities.
Ivanti has had its share of bad attention in the last year, as zero-day vulnerabilities in its solutions were steadily exploited by attackers to breach Norwegian ministries, MITRE, and other unnamed targets, for cyberespionage (to deliver webshells and persistent backdoors) and to deliver cryptominers.
The company was forced to go in damage control mode and pledge to up its security game.
“In recent months, we have intensified our internal scanning, manual exploitation and testing capabilities, and have additionally made improvements to our responsible disclosure process so that we can promptly discover and address potential issues,” the company has noted while releasing these latest updates.
“This has caused a spike in discovery and disclosure, and we agree with CISAs statement that the responsible discovery and disclosure of CVEs is ‘a sign of healthy code analysis and testing community.'”
UPDATE (September 13, 2024, 04:20 p.m. ET):
Ivanti has updated the advisory for CVE-2024-8190, the authenticated command injection vulnerability affecting Ivanti Cloud Service Appliance (CSA) 4.6, to say that the vulnerability is being leveraged by attackers.
“At the time of this update, we are aware of a limited number of customers who have been exploited,” the company says, and recommends reviewing the CSA for modified or newly added administrative users.
“While inconsistent, some attempts may show up in the broker logs which are local to the system. We also recommend reviewing EDR alerts, if you have installed EDR or other security tools on your CSA,” they added.
CISA has also added CVE-2024-8190 to its Known Exploited Vulnerabilities catalog, giving US Federal Civilian Executive Branch agencies until October 4, 2024, to mitigate the issue on their network(s).
“As Ivanti CSA has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line of supported solutions, as future vulnerabilities on the 4.6.x version of CSA are unlikely to receive future security updates,” the agency advised.
UPDATE (September 16, 2024, 10:40 p.m. ET):
Sina Kheirkhah of Summoning Team – the researcher who reported CVE-2024-29847 – has published a technical rundown of the vulnerability, and a PoC exploit for it that, for now, is a “bit difficult to utilize since this is a high value target and this might help in slowing APT Kiddies down.”