Categories
Full Text Articles - Audio Posts

Ivanti fixed a maximum severity flaw in its Endpoint Management software (EPM)

Spread the news

Listen to this article

Ivanti fixed a maximum severity flaw in its Endpoint Management software (EPM) that can let attackers achieve remote code execution on the core server

Ivanti Endpoint Management (EPM) software is a comprehensive solution designed to help organizations manage and secure their endpoint devices across various platforms, including Windows, macOS, Chrome OS, and IoT systems.

The software firm released security updates to address a maximum security vulnerability, tracked as CVE-2024-29847, in its Endpoint Management software (EPM).

The vulnerability is a deserialization of untrusted data issue that resides in the agent portal, attackers can exploit the flaw to achieve remote code execution on the core server.

“Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.” reads the advisory published by the company.

Ivanti also fixed multiple critical, medium and high-severity vulnerabilities that can be exploited to achieve unauthorized access to the EPM core server. 

Critical SQL injection vulnerabilities CVE-2024-32840, CVE-2024-32842, CVE-2024-32843, CVE-2024-32845, CVE-2024-32846, CVE-2024-32848, CVE-2024-34779, CVE-2024-34783, CVE-2024-34785 (CVSS scores of 9.1) could allow a remote authenticated attacker with admin privileges to execute arbitrary code on the core server.

CVE Number  Description  CVSS Score (Severity)  CVSS Vector  CWE 
CVE-2024-37397  An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets.    8.2 (High)  CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N  CWE-611 
CVE-2024-8191  SQL injection in the management console of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.  7.8 (High)  CVSS:3.0AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  CWE-89 
CVE-2024-32840  An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.   9.1 (Critical)  CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H  CWE-89 
CVE-2024-32842  An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.  9.1 (Critical)  CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H  CWE-89 
CVE-2024-32843  An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.   9.1 (Critical)  CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H  CWE-89 
CVE-2024-32845  An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.  9.1 (Critical)  CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H  CWE-89 
CVE-2024-32846  An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. .  9.1 (Critical)  CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H  CWE-89 
CVE-2024-32848  An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.   9.1 (Critical) CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H  CWE-89 
CVE-2024-34779  An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.   9.1 (Critical)   CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H  CWE-89  
CVE-2024-34783  An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. .  9.1 (Critical)  CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H  CWE-89 
CVE-2024-34785  An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.  9.1 (Critical) CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H  CWE-89 
CVE-2024-8320  Missing authentication in Network Isolation of Ivanti EPM before {fix version} allows a remote unauthenticated attacker to spoof Network Isolation status of managed devices.  5.3 (Medium)  CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N  CWE-306 
CVE-2024-8321  Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to isolate managed devices from the network.   5.8 (Medium)  CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L  CWE-306 
CVE-2024-8322  Weak authentication in Patch Management of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker to access restricted functionality.  4.3 (Medium)  CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N  CWE-1390  
CVE-2024-29847  Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.  10.0 (Critical) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H  CWE-502 
CVE-2024-8441  An uncontrolled search path in the agent of Ivanti EPM before 2022 SU6, or the 2024 September update allows a local authenticated attacker with admin privileges to escalate their privileges to SYSTEM.  6.7 (Medium)  CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H  CWE-427 

The flaws impact Ivanti Endpoint Manager  versions 2024 and 2022 SU5 and earlier, the versions 2024 with Security Patch,  (Need to apply both July and September)2024 SU1 (To be released) and 2022 SU6 fixed the problems

The company is not aware of attacks in the wild exploiting the vulnerabilities in the advisory.

“We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure.” concludes the advisory.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SQL injection) 


Spread the news