Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: IVANTI PATCHED MULTIPLE VULNERABILITIES IN IVANTI EPM, IVANTI APPLICATION CONTROL ENGINE AND IVANTI AVALANCHE, PATCH IMMEDIATELY!
Image
Published : 15/01/2025
Reference:
Advisory #2025-012
Version:
2.0
Affected software:
Ivanti Application Control Engine
Ivanti Avalanche
Ivanti EPM
Type:
Multiple types, including Path traversal vulnerabilities
CVE/CVSS:
Ivanti EPM
- CVE-2024-10811: CVSS 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- CVE-2024-13161: CVSS 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- CVE-2024-13160: CVSS 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- CVE-2024-13159: CVSS 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- CVE-2024-10630: CVSS 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
- CVE-2024-13181: CVSS 7.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
- CVE-2024-13180: CVSS 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
- CVE-2024-13179: CVSS 7.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Sources
Ivanti EPM - https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US
Ivanti Application Control Engine - https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Application-Control-Engine-CVE-2024-10630?language=en_US
Ivanti Avalanche - https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-6-4-7-Multiple-CVEs?language=en_US
Risks
Ivanti released three vulnerability advisories for Ivanti EPM, Ivanti Application Control Engine and Ivanti Avalanche. The advisories cover multiple vulnerabilities patched in these products. 16 vulnerabilities were patched in Ivanti EPM, 1 vulnerability in Ivanti Application Control Engine and 3 vulnerabilities in Ivanti Avalanche.
The most severe vulnerabilities addressed include four absolute path traversal flaws in Ivanti EPM, which could enable remote, unauthenticated attackers to expose sensitive information.
Description
CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159 – Ivanti EPM
CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159 are Path Traversal vulnerabilities identified in Ivanti Avalanche. These vulnerabilities allow an unauthenticated remote attacker to leak sensitive information. These vulnerabilities have been assigned a severity score of 9.8. At this time, Ivanti is not aware of any vulnerability being exploited in the wild.
CVE-2024-13158 – Ivanti EPM
CVE-2024-13158 is an unbounded resource search path vulnerability in Ivanti EPM This vulnerability allows a remote authenticated attacker with admin privileges to execute remote code. This vulnerability has been assigned a severity score of 7.2.
CVE-2024-13172 – Ivanti EPM
CVE-2024-13172 is an improper signature verification vulnerability in Ivanti EPM that allows a remote, unauthenticated attacker to execute remote code. Local user interaction is necessary to exploit this issue. This vulnerability has been assigned a severity score of 7.8.
CVE-2024-10630 – Ivanti Application Control Engine
CVE-2024-10630 is a race condition in Ivanti Application Control Engine that allows a local authenticated attacker to bypass the application blocking functionality. This vulnerability has been assigned a severity score of 7.8.
CVE-2024-13180 – Ivanti Avalanche
CVE-2024-13180 is a Path Traversal in Ivanti Avalanche that allows remote, unauthenticated attackers to expose sensitive information. This CVE addresses incomplete fixes from CVE-2024-47011. The vulnerability has been assigned a severity score of 7.5.
Other vulnerabilities
While these are the most noteworthy vulnerabilities patched by Ivanti, there are also other critical vulnerabilities addressed in these advisories. If you use Ivanti EPM, Ivanti Application Control Engine, or Ivanti Avalanche devices, please review the Ivanti advisory and update your products.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Update: 2025-02-21
Ivanti published a V2 of the patch for the abovementioned vulnerabilities. Applying the original patch (EPM_2024_Flat_Jan_2025_Patch.zip and EPM_2022_SU6_Jan_2025_Patch.zip) caused a known issue with Windows Action in Software Distribution. More specifically, the "Actions" tab was not visible, thus preventing users from creating new Windows Action packages or editing existing ones. Please note that existing packages continue to function as expected.
- For more information and to follow the progress of this known issue, 104977: Unable to Modify Windows Actions After Applying January Security Advisory Hot Patch
Ivanti updated this patch to a V2 version that restores the "Actions" tab. If the original version was installed, V2 needs to be installed as well to restore the "Actions" tab.
Due to the changes made in the V2 patch, there are some needed changes in order for Windows Action packages to be fully functional again. Please see Change to Windows Action Packages in January 2025 Hot Patch for more information.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
SecurityWeek - https://www.securityweek.com/ivanti-patches-critical-vulnerabilities-in-endpoint-manager-2/
SecurityOnline - https://securityonline.info/ivanti-endpoint-manager-patches-critical-security-vulnerabilities/