Critical Vulnerability in Ivanti EPM (CVE-2024-29847)
Executive Summary
On September 10th, 2024, Ivanti published an advisory detailing multiple critical severity vulnerabilities in their Endpoint Management (EPM) product. The EPM product manages IT assets, troubleshooting, and deployment of software and operating systems. A vulnerability in a system with this amount of control over a network environment presents significant risk.
Among the reported vulnerabilities, CVE-2024-29847 is particularly notable. It is the one vulnerability with a CVSS score of 10.0, because it can be exploited remotely, requires no authentication, and is relatively straightforward to attack.
Ivanti's products have experienced critical vulnerabilities that were exploited in cyber-attacks earlier this year, specifically in January (CVE-2023-46805 and CVE-2024-21887) and again in February (CVE-2024-21893, CVE-2024-22024, and CVE-2024-21888). Although the newly discovered vulnerabilities have not yet been abused by threat actors, Beazley Security believes cyber-criminal groups or other threat actors will attempt to weaponize these vulnerabilities. As such Beazley Security strongly recommends that organizations apply the available software patches as quickly as possible.
Affected Systems / Products
Product Name: Ivanti Endpoint Manager
- Affected Version (s):
- 2024
- Resolved Version(s):
- 2024 with July and September Security Patches applied, or 2024 SU1 (Not yet released at the time of writing)
Product Name: Ivanti Endpoint Manager
- Affected Version (s):
- 2022 SU5 and earlier
- Resolved Version(s):
- 2022 SU6
Mitigations / Workarounds
The vendor reports no mitigations or workarounds are available. Organizations should apply available patches as soon as possible.
Patches
Details for the security fixes can be found on Ivanti’s advisory here.
For EPM 2024:
- Download the Security Hot Patch files here.
- Close the EPM Console
- Extract the folder, open Powershell as an admin and then run the Deploy.ps1
- Reboot the Core Server.
For EPM 2022:
Technical Details
The vulnerability involves a software exploit known as a deserialization attack. Applications will often need to transfer internal data in memory over a network or into a file and need to put that data through a process called “serialization” to put it in a format that can be transferred. Once transferred, the application will reverse the process (called “deserialization”) to return it back into a state it can use.
Occasionally, deserialization is carried out insecurely, and manipulated serialized data can trigger harmful, unintended consequences. Specifically, in this scenario, the consequence is remote code execution, which results in a complete compromise of an Ivanti Endpoint Management Core Server.
How Beazley Security is Responding
Beazley Security is monitoring client perimeter devices through our Karma product to identify potentially impacted devices and support organizations in remediation of any issues found.
Sources
Aware of an incident impacting your industry? Let us know: