Ivanti Issues Patch for Critical Vulnerabilities in Endpoint Manager, Including CVE-2024-29847 (CVSS 10.0)

by do son · Published September 10, 2024 · Updated September 10, 2024

Ivanti has released a series of critical updates for its widely used Ivanti Endpoint Manager (EPM), addressing several vulnerabilities that pose significant security risks to organizations. The most severe of these vulnerabilities—CVE-2024-29847, with a CVSS score of 10.0—could allow remote attackers to achieve remote code execution through the deserialization of untrusted data. This vulnerability, along with multiple SQL injection flaws, places endpoints managed by Ivanti EPM at a high risk of compromise if not addressed.

Ivanti Endpoint Manager is a comprehensive solution for IT administrators, providing robust tools for managing and securing endpoints across an organization’s network. It enables centralized control over various devices, including desktops, laptops, and mobile devices, offering functionalities such as patch management, software distribution, and remote control. Given its widespread use in enterprise environments, any vulnerabilities within the system pose a considerable risk.

The recent security advisory highlights a range of critical and high-risk vulnerabilities in Ivanti EPM. Among them are:

CVE-2024-29847 (CVSS 10.0): A critical deserialization of untrusted data vulnerability in the agent portal that could allow unauthenticated remote attackers to achieve remote code execution. This flaw is especially dangerous, as it can be exploited without prior authentication, potentially leading to full control over vulnerable endpoints.
CVE-2024-32840 to CVE-2024-34785 (CVSS 9.1): A series of SQL injection vulnerabilities that allow remote authenticated attackers with administrative privileges to execute arbitrary code. These flaws highlight weaknesses in the input validation mechanisms within the management console, giving attackers the ability to manipulate SQL queries and gain unauthorized access.
CVE-2024-8320 and CVE-2024-8321: Missing authentication vulnerabilities in the Network Isolation feature of Ivanti EPM. These vulnerabilities allow remote unauthenticated attackers to manipulate the network isolation status of managed devices, potentially disconnecting or spoofing the isolation of critical devices on the network.
CVE-2024-8441 (CVSS 6.7): An uncontrolled search path vulnerability in the EPM agent, which allows local attackers with administrative privileges to escalate their permissions to SYSTEM level, thereby gaining complete control over the local machine.

The most concerning of these vulnerabilities is CVE-2024-29847, which could be exploited remotely to execute arbitrary code without the need for authentication. This opens the door to a range of potential attacks, from data theft to ransomware deployment, and could result in significant disruptions to enterprise operations.

The SQL injection vulnerabilities (CVE-2024-32840 through CVE-2024-34785) further exacerbate the risk by allowing attackers who have gained administrative access to escalate their privileges and execute malicious code within the EPM environment. These flaws could be exploited to manipulate or delete critical data, leading to a complete breakdown in endpoint management operations.

The Network Isolation vulnerabilities (CVE-2024-8320 and CVE-2024-8321) pose a significant threat to organizations relying on Ivanti EPM for securing and isolating critical endpoints. Attackers exploiting these flaws could disrupt network segmentation strategies, potentially leading to the spread of malware or unauthorized access to sensitive network segments.

The vulnerabilities affect multiple versions of Ivanti EPM, including:

Ivanti Endpoint Manager 2024: Affected users must apply both the July and September 2024 security patches to protect against these vulnerabilities.
Ivanti Endpoint Manager 2022: All versions before SU6 are vulnerable. Users should update to 2022 SU6 or later to address these flaws.

Ivanti strongly advises all customers to update their Ivanti EPM installations to the latest versions to mitigate these risks. The company has made patches available for all affected versions and emphasizes the importance of applying security patches as soon as possible to prevent exploitation.