Advisory

Ivanti releases patches for Endpoint Manager fixing multiple critical flaws

Take action: A huge, and hopefully timely patch by Ivanti for EMP. Do not delay this patch, it has too many critical flaws - although there are no current reported exploits, hackers will start looking for unpatched Ivanti system immediately. After the release of the PoC, you need to patch IMMEDIATELY.

Learn More

Ivanti has released security updates for its Endpoint Manager (EPM) 2024 and 2022 SU6 versions to address several critical and high-severity vulnerabilities that could lead to unauthorized access to the EPM core server. The patch addresses 16 flaws including 10 critical:

  1. CVE-2024-29847 (CVSS score 10): A critical deserialization of untrusted data vulnerability in the agent portal, which could allow remote unauthenticated attackers to execute arbitrary code.

  2. CVE-2024-32840 (CVSS score 9.1): An unspecified SQL injection vulnerability in Ivanti EPM before 2022 SU6, or the 2024 September update. It allows remote authenticated attackers with administrative privileges to execute arbitrary code.

  3. CVE-2024-32842 (CVSS score 9.1): An unspecified SQL injection vulnerability with the same characteristics as CVE-2024-32840, impacting the same versions of Ivanti EPM.

  4. CVE-2024-32843 (CVSS score 9.1): An unspecified SQL injection vulnerability, similarly allowing remote code execution by authenticated attackers with administrative privileges.

  5. CVE-2024-32845 (CVSS score 9.1): Another unspecified SQL injection flaw that could be exploited to achieve remote code execution.

  6. CVE-2024-32846 (CVSS score 9.1): Similar to the others, this SQL injection flaw allows a remote authenticated attacker with admin privileges to execute arbitrary code.

  7. CVE-2024-32848 (CVSS score 9.1): This SQL injection vulnerability also allows for remote code execution by an attacker with the necessary privileges.

  8. CVE-2024-34779 (CVSS score 9.1): An unspecified SQL injection flaw that can lead to remote code execution, similar in nature to the vulnerabilities listed above.

  9. CVE-2024-34783 (CVSS score 9.1): This SQL injection flaw also allows remote code execution through a similar attack vector.

  10. CVE-2024-34785 (CVSS score 9.1): Another critical SQL injection vulnerability that can result in remote code execution.

  11. CVE-2024-37397 (CVSS score 8.2): An External XML Entity (XXE) vulnerability in the provisioning web service. This critical flaw could allow remote unauthenticated attackers to leak API secrets.

Affected Versions

  • Ivanti Endpoint Manager 2024: Requires both July and September 2024 security patches.
  • Ivanti Endpoint Manager 2022 SU5 and earlier: Users are advised to upgrade to 2022 SU6.

Update - As of 15th of September 2024, a PoC exploit has been published on Github, which makes exploitation attempts are imminent as hackers have a clear instruction set how to attack.

For EPM 2024, users are required to apply a security hot patch, provided they have installed the July 2024 patch. Necessary files, such as LANDesk.AlertManager.Business.dll and PatchBiz.dll, can be deployed using PowerShell. A system reboot is necessary post-installation.

For EPM 2022, users are advised to upgrade to version 2022 SU6 to ensure full protection.

Ivanti has confirmed that, as of the date of disclosure, no active exploitation of these vulnerabilities has been detected. The vulnerabilities were reported through responsible disclosure, and no indicators of compromise have been found.

Ivanti releases patches for Endpoint Manager fixing multiple critical flaws
Read More
Jenkins reports SSH Host Key Reuse in its …
CISA warns of active exploitation of Jenkins RCE …
Active exploitation reported of command injection flaw in …
Apache Hadoop HDFS Native Client Vulnerability
CISA reports active exploitation of Oracle AgilePLM flaws