Critical Vulnerability in Ivanti EPM (CVE-2024-29847)

September 13, 2024
Beazley Security Labs

Critical Vulnerability in Ivanti EPM (CVE-2024-29847)

On September 10th, 2024, Ivanti published an advisory detailing multiple critical severity vulnerabilities in their Endpoint Management (EPM) product. The EPM product manages IT assets, troubleshooting, and deployment of software and operating systems.

Executive Summary

On September 10^th, 2024, Ivanti published an advisory detailing multiple critical severity vulnerabilities in their Endpoint Management (EPM) product. The EPM product manages IT assets, troubleshooting, and deployment of software and operating systems. A vulnerability in a system with this amount of control over a network environment presents significant risk.

Among the reported vulnerabilities, CVE-2024-29847 is particularly notable. It is the one vulnerability with a CVSS score of 10.0, because it can be exploited remotely, requires no authentication, and is relatively straightforward to attack.

Ivanti's products have experienced critical vulnerabilities that were exploited in cyber-attacks earlier this year, specifically in January (CVE-2023-46805 and CVE-2024-21887) and again in February (CVE-2024-21893, CVE-2024-22024, and CVE-2024-21888). Although the newly discovered vulnerabilities have not yet been abused by threat actors, Beazley Security believes cyber-criminal groups or other threat actors will attempt to weaponize these vulnerabilities. As such Beazley Security strongly recommends that organizations apply the available software patches as quickly as possible.

Affected Systems or Products

Product Name	Affected Version(s)	Resolved Version(s)
Ivanti Endpoint Manager	2024	2024 with July and September Security Patches applied, or 2024 SU1 (Not yet released at the time of writing)
Ivanti Endpoint Manager	2022 SU5 and earlier	2022 SU6

Mitigations / Workarounds

The vendor reports no mitigations or workarounds are available. Organizations should apply available patches as soon as possible.

Patches

Details for the security fixes can be found on Ivanti’s advisory here.

For EPM 2024:

1.
Download the Security Hot Patch files here.
2.
Close the EPM Console
3.
Extract the folder, open Powershell as an admin and then run the Deploy.ps1
4.
Reboot the Core Server.

For EPM 2022:

1.
Download the patch file here.
2.
Follow Ivanti’s detailed instructions found here.

Technical Details

The vulnerability involves a software exploit known as a deserialization attack. Applications will often need to transfer internal data in memory over a network or into a file and need to put that data through a process called “serialization” to put it in a format that can be transferred. Once transferred, the application will reverse the process (called “deserialization”) to return it back into a state it can use.

Occasionally, deserialization is carried out insecurely, and manipulated serialized data can trigger harmful, unintended consequences. Specifically, in this scenario, the consequence is remote code execution, which results in a complete compromise of an Ivanti Endpoint Management Core Server.

How Beazley Security is responding

Beazley Security is monitoring client perimeter devices discovered by our Attack Surface Management Solution, Karma, to identify potentially impacted devices and support organizations in remediation of any issues found.

Sources

https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022?language=en_US