Ivanti终端管理(EPM)软件是一款旨在帮助组织管理和安全其终端设备的全面的解决方案,涵盖了Windows、macOS、Chrome OS和IoT系统等多个平台。
软件公司发布了安全更新,以解决其终端管理软件(EPM)中的最高安全漏洞,追踪为CVE-2024-29847。该漏洞是agent门户中的未经信任数据反序列化问题,攻击者可以利用该漏洞在核心服务器上实现远程代码执行。
Ivanti公司发布的警告中写道:“Ivanti EPM之前的2022 SU6或2024年9月更新中的agent门户中的未经信任数据反序列化允许远程未经身份验证的攻击者实现远程代码执行。”
Ivanti还修复了多个严重、medium和高严重性漏洞,可以被利用以非法访问EPM核心服务器。严重的SQL注入漏洞CVE-2024-32840、CVE-2024-32842、CVE-2024-32843、CVE-2024-32845、CVE-2024-32846、CVE-2024-32848、CVE-2024-34779、CVE-2024-34783、CVE-2024-34785(CVSS评分9.1)可以允许远程身份验证的管理员执行核心服务器上的任意代码。
| CVE Number | Description | CVSS Score (Severity) | CVSS Vector | CWE |
| CVE-2024-37397 | An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets. | 8.2 (High) | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N | CWE-611 |
| CVE-2024-8191 | SQL injection in the management console of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution. | 7.8 (High) | CVSS:3.0AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CWE-89 |
| CVE-2024-32840 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | 9.1 (Critical) | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CWE-89 |
| CVE-2024-32842 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | 9.1 (Critical) | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CWE-89 |
| CVE-2024-32843 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | 9.1 (Critical) | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CWE-89 |
| CVE-2024-32845 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | 9.1 (Critical) | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CWE-89 |
| CVE-2024-32846 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. . | 9.1 (Critical) | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CWE-89 |
| CVE-2024-32848 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | 9.1 (Critical) | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CWE-89 |
| CVE-2024-34779 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | 9.1 (Critical) | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CWE-89 |
| CVE-2024-34783 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. . | 9.1 (Critical) | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CWE-89 |
| CVE-2024-34785 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | 9.1 (Critical) | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CWE-89 |
| CVE-2024-8320 | Missing authentication in Network Isolation of Ivanti EPM before {fix version} allows a remote unauthenticated attacker to spoof Network Isolation status of managed devices. | 5.3 (Medium) | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N | CWE-306 |
| CVE-2024-8321 | Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to isolate managed devices from the network. | 5.8 (Medium) | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L | CWE-306 |
| CVE-2024-8322 | Weak authentication in Patch Management of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker to access restricted functionality. | 4.3 (Medium) | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N | CWE-1390 |
| CVE-2024-29847 | Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution. | 10.0 (Critical) | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | CWE-502 |
| CVE-2024-8441 | An uncontrolled search path in the agent of Ivanti EPM before 2022 SU6, or the 2024 September update allows a local authenticated attacker with admin privileges to escalate their privileges to SYSTEM. | 6.7 (Medium) | CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
这些漏洞影响Ivanti终端管理器2024和2022 SU5 及更早版本,2024版本需要应用两次安全补丁(7月和9月)2024 SU1(即将发布)和2022 SU6修复了问题。公司不知道攻击者已经开始攻击这些漏洞。警告中总结道:“在披露时,我们尚未发现任何客户受到这些漏洞攻击。”
原文始发于微信公众号(黑猫安全):Ivanti 修复了其终端管理软件(EPM)的最高严重性漏洞
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论