External risk intelligence

Ivanti Endpoint Manager SQL Injection Vulnerability.

CVE advisoryKnown Exploit

CVE-2024-29824

A SQL injection vulnerability in Ivanti Endpoint Manager Core server can allow an attacker on the same network to execute arbitrary code. This affects organizations using Ivanti EPM versions up to 2022 SU5 and presents a risk of unauthorized code execution and potential data compromise.

2Halo Surface Signal

SQL Injection

Ivanti Endpoint Manager

before 20222022

External exposure likelihood

Halo Surface Signal score for CVE-2024-29824

The vulnerability requires the attacker to be within the same network (adjacent network access). Ivanti Endpoint Manager core servers are typically deployed in internal, segmented management networks rather than directly exposed to the public internet, making wide-scale public internet reachability uncommon in standard deployments.

Horizon Alert

Summary of the vulnerability and why it matters

A security vulnerability exists within the Core server component of Ivanti Endpoint Manager. This flaw could enable an attacker on the same network to execute arbitrary code. The potential impact includes unauthorized code execution and compromise of the affected systems.

Vulnerable Ivanti EPM Core server
Unspecified SQL Injection flaw
Arbitrary code execution capability

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker on the same network can exploit a SQL injection vulnerability in Ivanti Endpoint Manager. This allows the attacker to execute arbitrary code, potentially leading to significant business risk. The vulnerability resides in the Core server component of the software.

Attacker must be on the same network.
Attacker injects SQL commands.
Attacker gains code execution.

Live Threat

Current exploitation, exposure, and threat context

A SQL injection vulnerability has been identified in Ivanti Endpoint Manager software. This vulnerability could allow an attacker within the same network to execute arbitrary code, potentially leading to significant business disruption. The nature of this vulnerability suggests it poses a considerable risk to organizations utilizing the affected software.

Likely attacker skill level: Low.
Required access or conditions: Same network.
Business risk or urgency: High.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An SQL injection vulnerability in Ivanti Endpoint Manager Core Server allows an attacker on the same network to execute arbitrary code. This issue impacts organizations using specific versions of Ivanti EPM up to and including 2022 SU5. The vulnerability presents a significant risk due to its potential for code execution and data compromise.

Identify Ivanti EPM core servers and affected versions.
Restrict network access to Ivanti EPM core servers.
Apply vendor updates and validate their implementation.
Monitor network traffic for suspicious activity.

Frequently asked questions

What is Ivanti Endpoint Manager and its function?

Ivanti Endpoint Manager (EPM) is a tool for IT professionals to manage and secure devices like desktops, laptops, and servers. It automates tasks such as software deployment, patch management, and inventory to help organizations operate efficiently and remain compliant.

What type of vulnerability is CVE-2024-29824 and how does it function?

CVE-2024-29824 is an SQL Injection weakness (CWE-89). Attackers insert malicious SQL commands into queries, potentially allowing them to access, alter, or delete data, or execute unauthorized code on the affected system.

What conditions allow an attacker to exploit CVE-2024-29824?

An attacker needs to be on the same network as the vulnerable Ivanti Endpoint Manager Core server. They can then inject SQL commands to gain arbitrary code execution without needing any prior authentication.

How relevant is CVE-2024-29824 given its network requirements?

While the vulnerability requires the attacker to be on the same network (adjacent access), which limits broad internet reach, Ivanti EPM core servers are often in internal networks. This makes exploitation unlikely for external attackers but still a concern for internal threats.

What steps should be taken to address the Ivanti EPM vulnerability?

Organizations should identify their Ivanti EPM core servers and affected versions. It is crucial to restrict network access to these servers and apply vendor-provided updates. Monitoring network traffic for suspicious activity is also recommended.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.