On Tuesday, Ivanti addressed several critical security vulnerabilities within its Endpoint Manager (EPM), which could potentially be exploited to achieve remote code execution in specific scenarios. The vulnerabilities, which include six categorized under CVE-2024-29822 through CVE-2024-29827, possess a Common Vulnerability Scoring System (CVSS) score of 9.6. These flaws primarily stem from SQL injection holes, enabling unauthenticated attackers on the same network to execute arbitrary code.
In addition to these six vulnerabilities, there are four additional issues identified as CVE-2024-29828, CVE-2024-29829, CVE-2024-29830, and CVE-2024-29846, which carry a CVSS score of 8.4. Unlike the first group, these defects necessitate that an attacker be authenticated. All identified vulnerabilities specifically affect the Core server of Ivanti EPM versions 2022 SU5 and earlier.
Further compounding the security landscape, Ivanti also patched a significant vulnerability in its Avalanche product, version 6.4.3.602 (CVE-2024-29848) rated at a CVSS score of 7.2. This flaw permits an attacker to conduct remote code execution by uploading a specially crafted file, posing serious risks to system integrity.
In total, Ivanti has rolled out fixes for five additional high-severity vulnerabilities, including an SQL injection in Neurons for ITSM (CVE-2024-22059), an unrestricted file upload bug (CVE-2024-22060) in the same platform, a CRLF injection in Connect Secure (CVE-2023-38551), and two local privilege escalation vulnerabilities affecting the Secure Access client for Windows and Linux (CVE-2023-38042 and CVE-2023-46810).
Ivanti has emphasized that there is no evidence that any of these vulnerabilities have been exploited in the wild, nor is there any indication of malicious introduction through supply chain attacks. This assurance comes amid growing concerns regarding various other critical vulnerabilities within different software systems, including an open-source version of Netflix’s Genie system, which has seen its own critical flaw (CVE-2024-4701) reported.
The Genie vulnerability is classified as a path traversal issue, allowing for arbitrary file writing and execution, affecting all versions prior to 4.3.18. This is a reminder of the potential dangers posed by systems that accept user-supplied inputs without adequate validation.
Businesses relying on these tools must remain vigilant, especially as the U.S. government has recently urged software developers to adopt a ‘secure by design’ approach to combat potential exploits. The emphasis on inclusive security from the design phase through to product updates is essential in mitigating the risks posed by cybersecurity threats.
With the escalating frequency of vulnerabilities affecting commercial software, including those reported in Honeywell’s Control Edge Unit Operations Controller (UOC), the emphasis on proactive security measures is critical. As organizations continue to face threats, the potential for manipulation of weaknesses such as directory traversal and SQL injection becomes a stark reality, highlighting the necessity for stringent security practices and robust patch management.
In this evolving landscape, understanding and addressing potential MITRE ATT&CK tactics, such as initial access, exploitation of vulnerabilities, privilege escalation, and persistence, is essential for any organization aiming to bolster its cybersecurity defenses. The recent developments signal a clear need for increased awareness and strategic action among business owners to protect their digital assets against emerging threats.
