CVE-2024-11597
📋 TL;DR
This vulnerability allows a local authenticated attacker to escalate privileges on Ivanti Performance Manager systems due to insecure permissions. Attackers could gain higher-level access than intended. Affected systems are those running Ivanti Performance Manager before specific hotfix versions.
💻 Affected Systems
- Ivanti Performance Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where an authenticated low-privilege user gains root/administrator access, potentially leading to data theft, system manipulation, or persistence.
Likely Case
Local authenticated users (including legitimate users with malicious intent) escalate privileges to perform unauthorized administrative actions within the Performance Manager environment.
If Mitigated
With proper access controls and monitoring, impact is limited to isolated privilege escalation attempts that can be detected and contained.
🎯 Exploit Status
Exploitation requires local authenticated access but appears to be straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.3 HF1, 2024.1 HF1, or 2023.3 HF1
Vendor Advisory: https://forums.ivanti.com/s/article/December-2024-Security-Advisory-Ivanti-Performance-Manager-CVE-2024-11597
Restart Required: Yes
Instructions:
1. Download the appropriate hotfix from Ivanti support portal. 2. Apply hotfix according to Ivanti documentation. 3. Restart the Ivanti Performance Manager service. 4. Verify successful installation.
🔧 Temporary Workarounds
Restrict Local Access
allLimit local authenticated access to only trusted administrators who require it for legitimate purposes.
Implement Least Privilege
allEnsure all user accounts have only the minimum necessary permissions for their roles.
🧯 If You Can't Patch
- Implement strict access controls to limit who can authenticate locally to affected systems
- Monitor for privilege escalation attempts and unusual administrative activity
🔍 How to Verify
Check if Vulnerable:
Check Ivanti Performance Manager version in administration console or via system information commands.Check Version:
Check Ivanti Performance Manager web interface or consult product documentation for version checking commands.Verify Fix Applied:
Verify installed version shows 2024.3 HF1, 2024.1 HF1, or 2023.3 HF1 or later in administration console.📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation attempts
- Administrative actions from non-admin accounts
- Failed permission checks followed by successful elevated operations
Network Indicators:
- Not applicable - local exploitation only
SIEM Query:
Search for authentication events followed by privilege escalation patterns or unexpected administrative actions