Ivanti fixes maximum severity RCE bug in Endpoint Management software


Ivanti has fixed a maximum severity vulnerability in its Endpoint Management software (EPM) that can let unauthenticated attackers gain remote code execution on the core server.

Ivanti EPM helps admins manage client devices that run various platforms, including Windows, macOS, Chrome OS, and IoT operating systems.

The security flaw (CVE-2024-29847) is caused by a deserialization of untrusted data weakness in the agent portal that has been addressed in Ivanti EPM 2024 hot patches and Ivanti EPM 2022 Service Update 6 (SU6).

“Successful exploitation could lead to unauthorized access to the EPM core server,” the company said in an advisory published today.

For the moment, Ivanti added that they’re “not aware of any customers being exploited by these vulnerabilities at the time of disclosure. Currently, there is no known public exploitation of this vulnerability that could be used to provide a list of indicators of compromise.”

Today, it also fixed almost two dozen more high and critical severity flaws in Ivanti EPM, Workspace Control (IWC), and Cloud Service Appliance (CSA) that haven’t been exploited in the wild before being patched.

In January, the company patched a similar RCE vulnerability (CVE-2023-39336) in Ivanti EPM that could be exploited to access the core server or hijack enrolled devices.

Rise in fixed flaws due to security improvements

Ivanti said it had escalated internal scanning, manual exploitation, and testing capabilities in recent months while also working on improving its responsible disclosure process to address potential issues faster.

“This has caused a spike in discovery and disclosure, and we agree with CISAs statement that the responsible discovery and disclosure of CVEs is ‘a sign of healthy code analysis and testing community,'” Ivanti said.

This statement follows extensive in-the-wild exploitation of multiple Ivanti zero-days in recent years. For instance, Ivanti VPN appliances have been targeted since December 2023 using exploits chaining the CVE-2024-21887 command injection and the CVE-2023-46805 authentication bypass flaws as zero days.

The company also warned of a third zero-day (a server-side request forgery bug now tracked as CVE-2024-21893) under mass exploitation in February, allowing attackers to bypass authentication on vulnerable ICS, IPS, and ZTA gateways.

Ivanti says it has over 7,000 partners worldwide, and over 40,000 companies use its products to manage their IT assets and systems.



Source link