Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: IVANTI RELEASES URGENT SECURITY UPDATES FOR ENDPOINT MANAGER VULNERABILITIES PATCH IMMEDIATELY!
Image
Published : 11/09/2024
Reference:
Advisory #2024-220
Version:
1.0
Affected software:
Ivanti Endpoint Manager
Type:
Remote code execution and SQL injection
CVE/CVSS:
CVE-2024-29847: CVSS 10 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)CVE-2024-32840, CVE-2024-32842, CVE-2024-32843, CVE-2024-32845, CVE-2024-32846, CVE-2024-32848, CVE-2024-34779, CVE-2024-34783, CVE-2024-34785: CVSS 9.1 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
Sources
Risks
Ivanti has released updates to address multiple security flaws impacting Endpoint Manager (EPM), including 10 critical vulnerabilities that could result in remote code execution.
Successful exploitation could allow for remote code execution in the context of the system. Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data.
Among the addressed critical vulnerabilities, there is a maximum-security vulnerability (CVSS 10), tracked as CVE-2024-29847 and 9 SQL injection vulnerabilities that allow a remote, this time authenticated attacker with admin privileges, to achieve remote code execution.
There are currently no reports of these vulnerabilities being exploited in the wild, but the widespread use of Ivanti EPM software by public and private sector organisations urges the application of appropriate updates provided by Ivanti to vulnerable systems.
Additionally, taking into account the history of targeting Ivanti products, these vulnerabilities could attract attention due to the significant access that can be gained by compromising the EPM core server.
Update 16/09/2024 - There is a PoC available which could increase the risk of active exploitation. Please update your systems now.
Description
CVE-2024-8517, having a CVSS score of 10 (critical), is caused by a deserialization of untrusted data weakness in the agent portal of Ivanti EPM. A successful exploitation could lead to unauthorized access to the EPM core server and can be abused by attackers to execute arbitrary code, without having to authenticate to the system beforehand.
The vulnerability affects the agent portal of Ivanti Endpoint Manager versions 2024 (with the September update) and 2022 SU5 and earlier.
It is recommended to update to Ivanti Endpoint Manager v2022 SU6 and to apply a “security hot patch” for EPM v2024.
The company has also released:
- a security update for Ivanti Cloud Service Appliance (CSA) 4.6 to patch an authenticated OS command injection vulnerability (CVE-2024-8190) leading also to remote code execution
- Ivanti Workspace Control v10.18.99.0, which features a new architecture that addresses six vulnerabilities that could be exploited for privilege escalation and lateral movement
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
Ivanti - https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Workspace-Control-IWC?language=en_US
CiseSecurity - https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-ivanti-products-could-allow-for-remote-code-execution_2024-099