PoC Exploit for Ivanti Endpoint Manager's Critical RCE Bug Arises

 PoC Exploit for Ivanti Endpoint Manager's Critical RCE Bug Arises

A proof-of-concept (PoC) attack for a previously discovered major vulnerability in Ivanti Endpoint Manager has been created by researchers; this might pave the way for widespread device exploitation. First identified by an independent researcher, CVE-2024-29824 is a SQL injection flaw that was sold to Trend Micro's Zero Day Initiative (ZDI). On April 3, ZDI notified Ivanti of the problem.

The company's centralized endpoint management system is impacted, making it a desirable target for hackers looking to compromise several endpoints inside an organization from a single entry point. With a critical 9.8 out of 10 CVSS score, the software is vulnerable to remote code execution (RCE) by unauthenticated attackers. According to Dustin Childs, head of threat awareness at ZDI, "Endpoint Manager is usually elevated, so this really allows you to take over an Ivanti system." "From there, they would be able to affect other systems and do whatever you're using the Endpoint Manager to do."

The particular weakness was in a method named "RecordGoodApp" that was located in a "PatchBiz" dynamic link library (DLL) file that was part of the program's main server. The PoC was shared on GitHub by Horizon3.ai, and in a recent blog post, the company described how an attacker might exploit RecordGoodApp's initial string, which fails to adequately check user input data before building SQL queries. To show how much they understood, they persuaded an endpoint managing events to launch Windows Notepad by sending it a "fairly trivial" request.

Ivanti's Reaction

This year, Ivanti has been held to a higher standard than few other firms in cybersecurity history. There were a few zero-day vulnerabilities at first, followed by several more. Exploits exploded as patches trickled in, with several particularly well-known incidents among them. Then, just when the negative headlines were beginning to fade, there came this new weakness that posed an equal threat to companies as all the others. The good news is that Childs highlights that Ivanti managed to tackle this most recent vulnerability by the book, despite its previous challenges.

"They didn't need to be persuaded to repair by us. When we reported it to them, they started working on it right away. In six weeks, they had a patch. That's pretty much the best you'll see," he remarks. "So yes, they've had a lot of security problems this year, but they have made tremendous strides in addressing those problems in a very timely manner."

On May 24, Ivanti released a fix for CVE-2024-29824 along with its disclosure. As threat actors have a history of building on Ivanti vulnerabilities nonetheless, customers that haven't already would be well advised to install it as soon as feasible. Moreover, the availability of a functional Proof of Concept would probably encourage them even more.

In addition to patching, enterprises should concentrate on maintaining the security of their management interfaces against the Internet. "Make sure that if your Endpoint Manager is Internet accessible, you restrict it to some very specific IP addresses that are [trusted]," Childs advises.