Researchers have developed a proof-of-concept (PoC) exploit for a critical vulnerability in Ivanti Endpoint Manager that was recently disclosed — potentially setting the stage for mass exploitation of the devices.
CVE-2024-29824, an SQL injection bug, was first discovered by an independent researcher and sold to Trend Micro’s Zero Day Initiative (ZDI). ZDI informed Ivanti of the issue on April 3.
It affects the company’s centralized endpoint management solution, an attractive target for any hacker interested in compromising many devices across an organization from one launch point. The issue allows unauthenticated attackers to perform remote code execution (RCE) in the program, earning it a critical 9.8 out of 10 CVSS score.
“Endpoint Manager is usually elevated, so this really allows you to take over an Ivanti system,” says Dustin Childs, head of threat awareness at ZDI. “From there, they would be able to affect other systems and do whatever you’re using the Endpoint Manager to do.”
The specific flaw lay in “RecordGoodApp,” a method within a dynamic link library (DLL) file called “PatchBiz,” contained within the program’s core server. As outlined in a new blog post from Horizon3.ai, which published the PoC on GitHub, an attacker can take advantage of RecordGoodApp’s very first string, which does not sufficiently validate user input data before constructing SQL queries. They demonstrated as much by sending a “fairly trivial” request to an endpoint handling events, convincing it to run Windows Notepad.
Ivanti’s Response
Few organizations in cybersecurity history have been taken to task like Ivanti this year. Initially there were a couple of zero-day vulnerabilities, then another, then a whole lot more. Patches rolled in slowly and exploits skyrocketed, including some especially high-profile cases. Then, just as the bad press was finally starting to die down, this latest vulnerability arrived, equal in posing risk to corporations as any that had come before.
The good news: Childs emphasizes that, despite Ivanti’s recent troubles, it handled this latest vulnerability by the book.
“It’s not like we had to convince them [to patch]. We reported it to them, and they immediately got on it. They produced a patch within six weeks. That’s about as good as you’re going to see,” he says. “So yes, they’ve had a lot of security problems this year, but they have made tremendous strides in addressing those problems in a very timely manner.”
Ivanti published a patch for CVE-2024-29824 alongside its disclosure on May 24. Customers who haven’t yet would be well advised to implement it as soon as possible, since threat actors have a history of piling on Ivanti vulnerabilities anyway, and an available, working PoC will likely spur them on further.
Besides patching, organizations can also focus on keeping their management interfaces protected from the wider Web. “Make sure that if your Endpoint Manager is Internet accessible, you restrict it to some very specific IP addresses that are [trusted],” Childs says.
Leave a Reply