The Cybersecurity and Infrastructure Security Agency has recently confirmed the exploitation of an unauthenticated SQL Injection vulnerability in Ivanti Endpoint Manager (EPM) appliances, known as CVE-2024-29824. This critical vulnerability has been added to the Known Exploited Vulnerabilities catalog, indicating that attackers have been actively targeting systems running on Ivanti EPM.
According to Ivanti, they are aware of a limited number of customers who have fallen victim to this exploit. However, specific details about the attacks remain undisclosed at this time. The severity of the situation has prompted both CISA and Ivanti to take action and raise awareness about the vulnerability.
CVE-2024-29824 was reported by an anonymous researcher through the Zero Day Initiative program. This vulnerability is one of ten SQL injection vulnerabilities that Ivanti addressed in a security update released in May 2024. All of these vulnerabilities affect the core server of Ivanti EPM 2022 SU5 and earlier versions, potentially leading to code execution within the service account. Ivanti has since released a security hot patch to address these issues.
ZDI’s advisory describes CVE-2024-29824 as a flaw in the implementation of the “RecordGoodApp” method, resulting from insufficient validation of user-supplied strings before constructing SQL queries. Horizon3.ai researchers further investigated this vulnerability and provided technical details along with a Proof of Concept exploit in June 2024.
In response to the exploitation of CVE-2024-29824, all US federal civilian executive branch agencies are required to remediate the vulnerability by October 23, 2024. Ivanti has provided a patch that involves replacing five DLL files in the core server with updated versions included in the patch. Users are advised to restart the core server or perform an IISRESET command to ensure the new DLL files are loaded correctly.
It is crucial for Ivanti EPM users to take immediate action to secure their systems against potential attacks exploiting CVE-2024-29824. Ivanti has issued updated guidance regarding the patch and recommends users to update specific files or apply the latest patch if they have not already done so. Staying proactive and following the necessary security measures outlined in Ivanti’s advisory is essential to prevent further exploitation and ensure the integrity of systems running on Ivanti EPM.