Alert essentials:
A proof-of-concept is available for an Ivanti Endpoint Manager (EPM) flaw that has been actively exploited. Hot patches have been released; deploy these to impacted versions immediately.
Detailed threat description:
Ivanti Endpoint Manager helps admins manage client devices that run various platforms, including Windows, macOS, Chrome OS, and IoT operating systems.
Ivanti EPM is a popular product known for frequent security risks and as a hacker favorite.
Recently, a deserialization of untrusted data came to light in the tool. With a CVSS score of 10, CVE-2024-29847 exists within the AgentPortal service and allows an unauthenticated attacker to execute remote code in the context of SYSTEM.
On September 12th, Ivanti released updates for 16 security vulnerabilities, including a hot patch for this RCE.
More recently, a proof-of-concept was released for the exploit, and the flaw has been actively exploited in the wild. Upgrade vulnerable versions of Ivanti EPM immediately.
Additionally, note that Microsoft .Net Remoting plays a role in exploiting the CVE discussed. The technical reference below provides more information.
Impacts on healthcare organizations:
Attackers can abuse this weakness to execute arbitrary code without authenticating to the system beforehand. The results of executing remote code are only limited by the hackers’ imagination, and life-sustaining systems are likely to be unavailable during the exploitation of this flaw.
Affected products / versions:
Endpoint Manager 2024
Endpoint Manager 2022 SU5 and earlier
CVEs
CVE-2024-29847
Recommendations
Engineering recommendations:
- Note: The security holes in Endpoint Manager 2024 have been plugged with a patch, but they will be resolved in the upcoming version 2024 SU1 of Endpoint Manager
- Apply the hotfix to vulnerable versions
- Verify Microsoft .NET Remoting service is not in use
Leadership/ Program recommendations:
- Microsoft .NET Remoting is a dangerous and powerful technology found in critical infrastructures; it is so insecure that it is prohibited for use in the networks at Microsoft
- If your organization is utilizing Microsoft .NET Remoting, begin a search for an alternative and remove .NET Remoting from the environment as soon as possible
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- Ivanti September Hot patches: https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022
- CISA: https://www.cisa.gov/news-events/alerts/2024/09/13/ivanti-releases-security-update-cloud-services-appliance
- CISA Known Exploitable Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Microsoft .NET Remoting: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-netod/bfd49902-36d7-4479-bf75-a2431bd99039
- POC for vulnerability: https://github.com/sinsinology/CVE-2024-29847
- Technical review: https://summoning.team/blog/ivanti-epm-cve-2024-29847-deserialization-rce