Researchers have created a proof-of-concept (PoC) exploit for a critical vulnerability in Ivanti Endpoint Manager that was recently disclosed, potentially paving the way for widespread exploitation of devices.

The vulnerability, known as CVE-2024-29824, is an SQL injection flaw that was initially identified by an independent researcher and then passed on to Trend Micro’s Zero Day Initiative (ZDI). ZDI alerted Ivanti to the issue on April 3.

This vulnerability impacts Ivanti’s centralized endpoint management solution, making it an attractive target for malicious actors seeking to compromise multiple devices within an organization from a single entry point. The flaw allows unauthorized attackers to carry out remote code execution (RCE) within the program, earning it a critical 9.8 out of 10 CVSS score.

Dustin Childs, head of threat awareness at ZDI, explained, “Endpoint Manager is usually elevated, so this really allows you to take over an Ivanti system. From there, they would be able to affect other systems and do whatever you’re using the Endpoint Manager to do.”

The specific vulnerability resides in a method called “RecordGoodApp” within a dynamic link library (DLL) file called “PatchBiz” that is part of the program’s core server. According to a detailed blog post from Horizon3.ai, which published the PoC on GitHub, attackers can exploit the vulnerability by manipulating user input data within the RecordGoodApp method to execute arbitrary code, such as running Windows Notepad.

Ivanti’s Response
This latest vulnerability comes on the heels of a series of security incidents involving the Ivanti platform. The company faced scrutiny for several zero-day vulnerabilities, delayed patches, and a surge in exploits targeting its software. However, despite these challenges, Ivanti responded promptly to the CVE-2024-29824 vulnerability.

Childs commended Ivanti for its quick response, stating, “It’s not like we had to convince them [to patch]. We reported it to them, and they immediately got on it. They produced a patch within six weeks. That’s about as good as you’re going to see.” He acknowledged Ivanti’s efforts to address security issues in a timely manner despite facing multiple vulnerabilities in recent times.

Ivanti released a patch for CVE-2024-29824 on May 24, urging customers to implement it promptly. Given threat actors’ history of targeting Ivanti vulnerabilities and the availability of a working PoC for this latest flaw, organizations are advised to apply the patch as soon as possible to mitigate potential risks.

In addition to applying patches, organizations can enhance security by safeguarding their management interfaces from unauthorized access over the internet. Childs recommended restricting access to Endpoint Manager to specific trusted IP addresses if it needs to be accessible online.

Overall, while Ivanti has experienced a challenging period in terms of security incidents, the company’s proactive approach to addressing vulnerabilities in a timely manner demonstrates its commitment to safeguarding its customers’ environments. By promptly addressing security flaws and releasing patches, Ivanti is taking steps to enhance the security posture of its products and protect users from potential cyber threats.

Source link