Urgent Call to Patch: Exploit Code for Critical Ivanti RCE Vulnerability Released

September 16, 2024

A critical remote code execution (RCE) vulnerability in Ivanti Endpoint Manager, known as CVE-2024-29847, has been exposed to the public through a proof-of-concept (PoC) exploit. This makes it imperative for users to update their devices. The flaw is a deserialization of untrusted data issue, affecting Ivanti Endpoint Manager versions before 2022 SU6 and EPM 2024. The vulnerability was patched in the September 2024 update. The flaw was discovered by security researcher Sina Kheirkhah, who reported it through the Zero Day Initiative on May 1, 2024. Kheirkhah has now published the full exploitation details of CVE-2024-29847, which is likely to spur attacks.

The vulnerability stems from insecure deserialization within the AgentPortal.exe executable, specifically the OnStart method of the service. This method utilizes the deprecated Microsoft .NET Remoting framework to enable communication between remote objects. The service registers a TCP channel with dynamically assigned ports and lacks security enforcement, making it susceptible to remote attacker manipulation.

Kheirkhah's attack process involves creating a Hashtable filled with serialized objects to send to the vulnerable endpoint. Upon deserialization, these objects execute arbitrary operations by invoking methods on the DirectoryInfo or FileInfo objects. This allows the attacker to perform file operations such as reading or writing files on the server, including the deployment of web shells that can execute arbitrary code. However, a low-type filter limits which objects can be deserialized, but as described by James Forshaw, it is possible to bypass this security mechanism.

Ivanti has issued a security 'hot patch' for EPM 2022 and 2024, with SU6 and September 2024 updates, respectively. There are no other mitigations or workarounds provided by the vendor, hence the only recommendation is to apply the security update.

In January, CISA warned that a critical authentication bypass vulnerability in Ivanti's Endpoint Manager Mobile product was being actively exploited. Ivanti confirmed last week that hackers are actively exploiting a high-severity remote code execution flaw, tracked as CVE-2024-8190, in its Cloud Services Appliance (CSA). CISA has also added this flaw to its Known Exploited Vulnerabilities catalog, with a deadline set for securing vulnerable appliances by October 4, 2024.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.