Governance & Risk Management , Network Firewalls, Network Access Control , Patch Management
Ivanti Confirms Exploitation of an Old Critical Vuln
Remote Code Execution Bug Exploited in Limited AttacksIvanti confirmed that hackers are exploiting an SQL injection vulnerability in its Ivanti Endpoint Manager enabling remote code execution, despite the company addressing the issue with a patch in May.
The U.S. Cybersecurity and Infrastructure Security Agency Wednesday advised organizations to prioritize patching the vulnerability, tracked as CVE 2024-29824. It carries a CVSS score of 9.6 and was first disclosed in May, with Ivanti releasing a fix for the flaw and five other remote code execution bugs (see: Security Researchers Expose Critical Flaw in Ivanti Software).
"An unspecified SQL injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code," internet appliance maker Ivanti said in a May advisory.
Ivanti Endpoint Manager is a systems management solution designed to help organizations manage and secure endpoints such as laptops, desktops, servers and mobile devices. It can manage Windows, macOS, Linux, Chrome OS and IoT devices. It enables streamlining of IT operations through centralized management and automation.
Ivanti has over 40,000 customers, including 88 of the Fortune 100 companies. Many of its customers have been on a treadmill of emergency patching since early this year. Researchers disclosed that Ivanti gateway appliances earlier this year were at the center of an espionage hacking operation likely conducted by China. CISA was among the affected customers (see: Ivanti Vulnerability Again Forces Emergency Patches).
The flaw allows unauthenticated attackers within the same network to execute arbitrary code on vulnerable systems. The flaw exists in implementing the RecordGoodApp method in a DLL named patchbiz.dll
.
Horizon3.ai in June released a detailed proof-of-concept exploit that can trigger the flaw and allow a hacker to perform a remote attack on multiple vulnerable devices across an enterprise.
Researchers discovered a potentially vulnerable function called RecordGoodApp, located within the patchbiz.dll
file after installation. The binaries for this application are stored in C:Program FilesLANDesk
. Using the JetBrains dotPeek tool, analysts disassembled the patchbiz.dll
C# binary and identified the RecordGoodApp method.
Within this function, the first SQL statement appears susceptible to SQL injection due to the use of string.Format
to insert the value of goodApp.md5
into the query. If attackers can manipulate the goodApp.md5 value, they could exploit the vulnerability and trigger an SQL injection.
Despite the available patches, threat actors have managed to exploit unpatched systems.
CVE-2024-29824 represents a particularly dangerous flaw due to its ability to let attackers gain full control over compromised systems, said Mayuresh Dani, manager of security research at Qualys Threat Research Unit.
"Proof-of-concept code that exploits this vulnerability has been available since early June. Multiple versions of this code leverage the xp_cmdshell
feature in SQL Servers, allowing attackers to execute arbitrary Windows commands, download and run malicious scripts, and manipulate files," Dani said.