Critical RCE Vulnerability Patched in Ivanti Endpoint Manager (CVE-2024-29847)
Summary
OEM | Ivanti |
Severity | Critical |
Date of Announcement | 2024-09-13 |
CVSS Score | 9.8 |
CVE | CVE-2024-29847 |
CWE | CWE-502 |
Exploited in Wild | Yes |
Patch/Remediation Available | Yes |
Advisory Version | 1.0 |
Overview
A critical vulnerability (CVE-2024-29847) has been identified in Ivanti Endpoint Manager, allowing unauthenticated attackers to execute arbitrary code remotely. This flaw is due to a deserialization of untrusted data issue in the AgentPortal.exe service, specifically within the .NET Remote framework. Exploitation can allow attackers to perform file operations such as reading or writing files on the server, potentially leading to full system compromise.
Vulnerability Name | CVE ID | Product Affected | Impact | CVSS Score |
Ivanti RCE (Remote code execution) Vulnerability | CVE-2024-29847 | Ivanti Endpoint Manager (EPM) versions prior to 2022 SU6 and 2024 September updates | Critical | 9.8 |
Technical Summary
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2024-29847 | Ivanti Endpoint Manager (EPM) versions prior to 2022 SU6 and 2024 September updates | The AgentPortal.exe service's insecure deserialization, notably in the On Start method that makes use of the antiquated Microsoft.NET Remoting framework, is the source of the vulnerability. Without any security enforcement, the service registers a TCP channel that makes it possible for attackers to inject malicious objects. Attackers can initiate file operations, such as reading, writing, or even executing arbitrary code on the server for example, launching web shells for remote code execution by transmitting a crafted hash table of serialized objects. | Remote Code Execution (RCE) |
Remediation
Ivanti has released security updates addressing this vulnerability. Apply the latest patches for Ivanti EPM immediately:
- Ivanti EPM 2022 SU6
- Ivanti EPM September 2024 Update
General Recommendations:
- Conduct regular vulnerability scans to ensure that all systems are up-to-date, and no vulnerable versions are in use.
- Ensure that systems and users only have the minimum required access levels to reduce the impact of any compromise.
- Segregate critical systems from the rest of the network to minimize potential damage from a successful exploitation.