Ivanti Endpoint Management (EPM) software is a comprehensive solution designed to help organizations manage and secure their endpoint devices across various platforms, including Windows, macOS, Chrome OS, and IoT systems.
The software firm released security updates to address a maximum security vulnerability, tracked as CVE-2024-29847, in its Endpoint Management software (EPM).
The vulnerability is a deserialization of untrusted data issue that resides in the agent portal, attackers can exploit the flaw to achieve remote code execution on the core server.
“Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.” reads the advisory published by the company.
Ivanti also fixed multiple critical, medium and high-severity vulnerabilities that can be exploited to achieve unauthorized access to the EPM core server.
Critical SQL injection vulnerabilities CVE-2024-32840, CVE-2024-32842, CVE-2024-32843, CVE-2024-32845, CVE-2024-32846, CVE-2024-32848, CVE-2024-34779, CVE-2024-34783, CVE-2024-34785 (CVSS scores of 9.1) could allow a remote authenticated attacker with admin privileges to execute arbitrary code on the core server.
CVE Number | Description | CVSS Score (Severity) | CVSS Vector | CWE |
CVE-2024-37397 | An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets. | 8.2 (High) | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N | CWE-611 |
CVE-2024-8191 | SQL injection in the management console of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution. | 7.8 (High) | CVSS:3.0AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CWE-89 |
CVE-2024-32840 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | 9.1 (Critical) | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CWE-89 |
CVE-2024-32842 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | 9.1 (Critical) | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CWE-89 |
CVE-2024-32843 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | 9.1 (Critical) | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CWE-89 |
CVE-2024-32845 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | 9.1 (Critical) | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CWE-89 |
CVE-2024-32846 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. . | 9.1 (Critical) | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CWE-89 |
CVE-2024-32848 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | 9.1 (Critical) | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CWE-89 |
CVE-2024-34779 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | 9.1 (Critical) | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CWE-89 |
CVE-2024-34783 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. . | 9.1 (Critical) | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CWE-89 |
CVE-2024-34785 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | 9.1 (Critical) | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CWE-89 |
CVE-2024-8320 | Missing authentication in Network Isolation of Ivanti EPM before {fix version} allows a remote unauthenticated attacker to spoof Network Isolation status of managed devices. | 5.3 (Medium) | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N | CWE-306 |
CVE-2024-8321 | Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to isolate managed devices from the network. | 5.8 (Medium) | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L | CWE-306 |
CVE-2024-8322 | Weak authentication in Patch Management of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker to access restricted functionality. | 4.3 (Medium) | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N | CWE-1390 |
CVE-2024-29847 | Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution. | 10.0 (Critical) | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | CWE-502 |
CVE-2024-8441 | An uncontrolled search path in the agent of Ivanti EPM before 2022 SU6, or the 2024 September update allows a local authenticated attacker with admin privileges to escalate their privileges to SYSTEM. | 6.7 (Medium) | CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | CWE-427 |
The flaws impact Ivanti Endpoint Manager versions 2024 and 2022 SU5 and earlier, the versions 2024 with Security Patch, (Need to apply both July and September)2024 SU1 (To be released) and 2022 SU6 fixed the problems
The company is not aware of attacks in the wild exploiting the vulnerabilities in the advisory.
“We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure.” concludes the advisory.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, SQL injection)