The cybersecurity community is on high alert as two critical vulnerabilities in Ivanti products have come to light, posing significant risks to organizations worldwide. A proof-of-concept (PoC) exploit for a remote code execution vulnerability in Ivanti Endpoint Manager has been released, while another vulnerability in Ivanti Cloud Services Appliance (CSA) is reportedly under active exploitation.
CVE-2024-29847: A Critical Threat to Ivanti Endpoint Manager
The vulnerability identified as CVE-2024-29847 affects Ivanti Endpoint Manager versions prior to 2022 SU6 and EPM 2024. This critical flaw, which allows for remote code execution, stems from the insecure deserialization of untrusted data. Security researcher Sina Kheirkhah discovered and reported the issue through the Zero Day Initiative on May 1, 2024, with Ivanti releasing a patch on September 10, 2024.
Technical Details of the Vulnerability
The root cause of CVE-2024-29847 lies in the unsafe deserialization within the AgentPortal.exe executable, specifically in the OnStart service method. The vulnerability is exacerbated by the use of the outdated Microsoft .NET Remoting framework for communication between remote objects. This configuration allows an attacker to inject malicious objects, potentially leading to arbitrary code execution on the target server.
Kheirkhah notes that while a low-type filter can limit object deserialization capabilities, this protective measure can be bypassed using a technique described by James Forshaw. This revelation heightens the severity of the vulnerability and underscores the importance of promptly applying the available patch.
CVE-2024-8190: Active Attacks on Ivanti Cloud Services Appliance
In a separate but equally concerning development, Ivanti has warned that another recent vulnerability, CVE-2024-8190, affecting the Cloud Services Appliance product is already being actively exploited in the wild. This vulnerability impacts Ivanti CSA version 4.6 and earlier, allowing authenticated remote attackers with administrative privileges to achieve remote code execution through command injection on vulnerable devices.
Mitigation Strategies for CSA Vulnerability
While Ivanti has released CSA 4.6 Patch 519 to address the issue, the company strongly recommends that customers upgrade from the now unsupported CSA 4.6.x version to the supported CSA 5.0 version. Additionally, Ivanti suggests that implementing dual-homed CSA configurations with ETH-0 as the internal network can significantly reduce the risk of exploitation.
These recent developments serve as a stark reminder of the ever-present threats in the cybersecurity landscape. Organizations using Ivanti products are strongly advised to assess their systems, apply the necessary patches, and implement recommended security measures immediately. As the situation continues to evolve, staying informed and maintaining a proactive approach to cybersecurity remains crucial for protecting critical infrastructure and sensitive data from potential attacks.
