Ivanti fixed a maximum severity flaw in its Endpoint Management software (EPM)

Pierluigi Paganini September 11, 2024

Ivanti fixed a maximum severity flaw in its Endpoint Management software (EPM) that can let attackers achieve remote code execution on the core server

Ivanti Endpoint Management (EPM) software is a comprehensive solution designed to help organizations manage and secure their endpoint devices across various platforms, including Windows, macOS, Chrome OS, and IoT systems.

The software firm released security updates to address a maximum security vulnerability, tracked as CVE-2024-29847, in its Endpoint Management software (EPM).

The vulnerability is a deserialization of untrusted data issue that resides in the agent portal, attackers can exploit the flaw to achieve remote code execution on the core server.

“Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.” reads the advisory published by the company.

Ivanti also fixed multiple critical, medium and high-severity vulnerabilities that can be exploited to achieve unauthorized access to the EPM core server. 

Critical SQL injection vulnerabilities CVE-2024-32840, CVE-2024-32842, CVE-2024-32843, CVE-2024-32845, CVE-2024-32846, CVE-2024-32848, CVE-2024-34779, CVE-2024-34783, CVE-2024-34785 (CVSS scores of 9.1) could allow a remote authenticated attacker with admin privileges to execute arbitrary code on the core server.

CVE Number Description CVSS Score (Severity) CVSS Vector CWE 
CVE-2024-37397 An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets.   8.2 (High) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CWE-611 
CVE-2024-8191 SQL injection in the management console of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution. 7.8 (High) CVSS:3.0AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CWE-89 
CVE-2024-32840 An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.  9.1 (Critical) CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CWE-89 
CVE-2024-32842 An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. 9.1 (Critical) CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CWE-89 
CVE-2024-32843 An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.  9.1 (Critical) CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CWE-89 
CVE-2024-32845 An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. 9.1 (Critical) CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CWE-89 
CVE-2024-32846 An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. . 9.1 (Critical) CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CWE-89 
CVE-2024-32848 An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.  9.1 (Critical)CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CWE-89 
CVE-2024-34779 An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.  9.1 (Critical)  CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CWE-89  
CVE-2024-34783 An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. . 9.1 (Critical) CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CWE-89 
CVE-2024-34785 An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. 9.1 (Critical)CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CWE-89 
CVE-2024-8320 Missing authentication in Network Isolation of Ivanti EPM before {fix version} allows a remote unauthenticated attacker to spoof Network Isolation status of managed devices. 5.3 (Medium) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CWE-306 
CVE-2024-8321 Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to isolate managed devices from the network.  5.8 (Medium) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L CWE-306 
CVE-2024-8322 Weak authentication in Patch Management of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker to access restricted functionality. 4.3 (Medium) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CWE-1390  
CVE-2024-29847 Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution. 10.0 (Critical)CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CWE-502 
CVE-2024-8441 An uncontrolled search path in the agent of Ivanti EPM before 2022 SU6, or the 2024 September update allows a local authenticated attacker with admin privileges to escalate their privileges to SYSTEM. 6.7 (Medium) CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CWE-427 

The flaws impact Ivanti Endpoint Manager  versions 2024 and 2022 SU5 and earlier, the versions 2024 with Security Patch,  (Need to apply both July and September)2024 SU1 (To be released) and 2022 SU6 fixed the problems

The company is not aware of attacks in the wild exploiting the vulnerabilities in the advisory.

“We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure.” concludes the advisory.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SQL injection) 



you might also like

leave a comment