- Ivanti has released patches to address multiple critical security vulnerabilities in its Endpoint Manager (EPM) that could be exploited to achieve remote code execution under certain conditions.
- Six of the ten vulnerabilities—designated CVE-2024-29822 through CVE-2024-29827, with CVSS scores of 9.6—are SQL injection flaws that allow an unauthenticated attacker within the same network to execute arbitrary code.
- The remaining four vulnerabilities—CVE-2024-29828, CVE-2024-29829, CVE-2024-29830, and CVE-2024-29846, each with CVSS scores of 8.4—require the attacker to be authenticated to exploit similar flaws.
The discovered vulnerabilities affect the Core server of Ivanti EPM versions 2022 SU5 and prior.
Ivanti has addressed a high-severity security flaw in Avalanche version 6.4.3.602 (CVE-2024-29848, CVSS score: 7.2), which could allow an attacker to achieve remote code execution by uploading a specially crafted file.
Furthermore, Ivanti released patches for five other high-severity vulnerabilities:
- An SQL injection (CVE-2024-22059) and an unrestricted file upload flaw (CVE-2024-22060) in Neurons for ITSM.
- A CRLF injection vulnerability in Connect Secure (CVE-2023-38551).
- Two local privilege escalation issues in the Secure Access client, affecting both Windows (CVE-2023-38042) and Linux (CVE-2023-46810).
Ivanti emphasized that there is no evidence these vulnerabilities have been exploited in the wild or that they were introduced into their code development process maliciously via a supply chain attack.
The development of these patches comes as details emerge about a critical flaw in the open-source version of the Genie federated Big Data orchestration and execution engine developed by Netflix.
This vulnerability (CVE-2024-4701, CVSS score: 9.9) could lead to remote code execution. The issue is described as a path traversal vulnerability that could be exploited to write an arbitrary file on the file system and execute arbitrary code. It impacts all versions of the software prior to 4.3.18.
The Genie vulnerability stems from its REST API, which accepts a user-supplied filename as part of the request.
A malicious actor could craft a filename to break out of the default attachment storage path and write a file with any user-specified name to a location of their choosing on the file system.
The maintainers of Genie warned in an advisory that users running their own instance and relying on the filesystem to store file attachments submitted to the Genie application might be impacted. Users who do not store attachments locally are not susceptible to this issue.
Earlier this month, the U.S. government warned of continued attempts by threat actors to exploit directory traversal defects in software to breach targets.
The US government called on developers to adopt a secure-by-design approach to eliminate such security holes. This approach emphasizes incorporating risk mitigation from the design phase through to product release and updates, thereby reducing the cybersecurity burden on customers and the associated public risk.
The disclosure of Ivanti’s vulnerabilities and the Genie issue follows the revelation of vulnerabilities (CVE-2023-5389 and CVE-2023-5390) in Honeywell’s Control Edge Unit Operations Controller (UOC). These vulnerabilities can result in unauthenticated remote code execution.
According to Claroty, an attacker on an OT network could exploit these vulnerabilities using a malicious network packet, thereby compromising the virtual controller. Such an attack could be carried out remotely to modify files, resulting in full control of the controller and the execution of malicious code.
Ivanti’s swift action to address these critical security flaws in Endpoint Manager and other products demonstrates the company’s commitment to safeguarding its systems against potential exploitation.
The simultaneous emergence of significant vulnerabilities in other systems, such as Netflix’s Genie and Honeywell’s UOC, underscores the ongoing challenge of cybersecurity in an increasingly interconnected world. The call for secure-by-design development practices by the U.S. government highlights the importance of proactive security measures in mitigating the risk of exploitation.
As organizations continue to rely on complex software solutions, the vigilance and responsiveness of software providers and developers remain crucial in protecting against emerging threats.