Governance & Risk Management , Network Firewalls, Network Access Control , Patch Management

Ivanti Confirms Exploitation of an Old Critical Vuln

Remote Code Execution Bug Exploited in Limited Attacks
Ivanti Confirms Exploitation of an Old Critical Vuln
Hackers are attacking unpatched Ivanti Endpoint Manager instances. (Image: Ivanti)

Ivanti confirmed that hackers are exploiting an SQL injection vulnerability in its Ivanti Endpoint Manager enabling remote code execution, despite the company addressing the issue with a patch in May.

See Also: The Dark Side of AI: Unmasking its Threats and Navigating the Shadows of Cybersecurity in the Digital Age

The U.S. Cybersecurity and Infrastructure Security Agency Wednesday advised organizations to prioritize patching the vulnerability, tracked as CVE 2024-29824. It carries a CVSS score of 9.6 and was first disclosed in May, with Ivanti releasing a fix for the flaw and five other remote code execution bugs (see: Security Researchers Expose Critical Flaw in Ivanti Software).

"An unspecified SQL injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code," internet appliance maker Ivanti said in a May advisory.

Ivanti Endpoint Manager is a systems management solution designed to help organizations manage and secure endpoints such as laptops, desktops, servers and mobile devices. It can manage Windows, macOS, Linux, Chrome OS and IoT devices. It enables streamlining of IT operations through centralized management and automation.

Ivanti has over 40,000 customers, including 88 of the Fortune 100 companies. Many of its customers have been on a treadmill of emergency patching since early this year. Researchers disclosed that Ivanti gateway appliances earlier this year were at the center of an espionage hacking operation likely conducted by China. CISA was among the affected customers (see: Ivanti Vulnerability Again Forces Emergency Patches).

The flaw allows unauthenticated attackers within the same network to execute arbitrary code on vulnerable systems. The flaw exists in implementing the RecordGoodApp method in a DLL named patchbiz.dll.

Horizon3.ai in June released a detailed proof-of-concept exploit that can trigger the flaw and allow a hacker to perform a remote attack on multiple vulnerable devices across an enterprise.

Researchers discovered a potentially vulnerable function called RecordGoodApp, located within the patchbiz.dll file after installation. The binaries for this application are stored in C:Program FilesLANDesk. Using the JetBrains dotPeek tool, analysts disassembled the patchbiz.dll C# binary and identified the RecordGoodApp method.

Within this function, the first SQL statement appears susceptible to SQL injection due to the use of string.Format to insert the value of goodApp.md5 into the query. If attackers can manipulate the goodApp.md5 value, they could exploit the vulnerability and trigger an SQL injection.

Despite the available patches, threat actors have managed to exploit unpatched systems.

CVE-2024-29824 represents a particularly dangerous flaw due to its ability to let attackers gain full control over compromised systems, said Mayuresh Dani, manager of security research at Qualys Threat Research Unit.

"Proof-of-concept code that exploits this vulnerability has been available since early June. Multiple versions of this code leverage the xp_cmdshell feature in SQL Servers, allowing attackers to execute arbitrary Windows commands, download and run malicious scripts, and manipulate files," Dani said.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.