Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
A security breach allows attackers to take full control of the system.
Researchers have published a PoC exploit for a critical vulnerability in Ivanti Endpoint Manager (CVE-2024-29847, CVSS score: 9.8) that allows remote code execution (RCE). The exploit is already in the public domain, which makes it especially important to keep devices up to date to protect against possible attacks.
The vulnerability is related to an untrusted data deserialization issue that affects versions of Ivanti Endpoint Manager prior to 2022 SU6 and EPM 2024. The details of the vulnerability were discovered by security researcher Sina Kheirkha (@SinSinology) and reported through the Zero Day Initiative (ZDI) on May 1, 2024. He recently published a detailed description of the mechanism for exploiting this vulnerability, which could lead to an increase in attacks in the near future.
The vulnerability occurs due to insecure deserialization in the AgentPortal.exe component, namely in the OnStart method. This method uses outdated Microsoft.NET Remoting technology to link remote objects, opening up the possibility for attackers to inject malicious objects into the system.
The attack involves sending specially crafted serialized objects to the affected server, which allows the attacker to perform arbitrary operations, including reading or writing files. This can lead to the installation of web shells to execute code on the server.
Although the vulnerable component has restrictions on the deserialization of certain objects, researcher Khairhoy described a way to bypass this protection, which makes exploiting the vulnerability even more dangerous.
On September 10, Ivanti released urgent security updates for EPM 2022 and 2024 that address this issue. At the moment, there are no other ways to mitigate the threat other than installing updates, and all customers are urged to update their systems as soon as possible.
Source
Researchers have published a PoC exploit for a critical vulnerability in Ivanti Endpoint Manager (CVE-2024-29847, CVSS score: 9.8) that allows remote code execution (RCE). The exploit is already in the public domain, which makes it especially important to keep devices up to date to protect against possible attacks.
The vulnerability is related to an untrusted data deserialization issue that affects versions of Ivanti Endpoint Manager prior to 2022 SU6 and EPM 2024. The details of the vulnerability were discovered by security researcher Sina Kheirkha (@SinSinology) and reported through the Zero Day Initiative (ZDI) on May 1, 2024. He recently published a detailed description of the mechanism for exploiting this vulnerability, which could lead to an increase in attacks in the near future.
The vulnerability occurs due to insecure deserialization in the AgentPortal.exe component, namely in the OnStart method. This method uses outdated Microsoft.NET Remoting technology to link remote objects, opening up the possibility for attackers to inject malicious objects into the system.
The attack involves sending specially crafted serialized objects to the affected server, which allows the attacker to perform arbitrary operations, including reading or writing files. This can lead to the installation of web shells to execute code on the server.
Although the vulnerable component has restrictions on the deserialization of certain objects, researcher Khairhoy described a way to bypass this protection, which makes exploiting the vulnerability even more dangerous.
On September 10, Ivanti released urgent security updates for EPM 2022 and 2024 that address this issue. At the moment, there are no other ways to mitigate the threat other than installing updates, and all customers are urged to update their systems as soon as possible.
Source
