CVE-2024-13166
📋 TL;DR
An out-of-bounds write vulnerability in Ivanti Endpoint Manager (EPM) allows remote unauthenticated attackers to cause denial of service by crashing the service. This affects Ivanti EPM 2024 and 2022 SU6 versions before the January 2025 security updates. Organizations using these vulnerable versions are at risk.
💻 Affected Systems
- Ivanti Endpoint Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of Ivanti EPM management capabilities, preventing endpoint management and potentially requiring manual service restoration.
Likely Case
Temporary denial of service affecting EPM console and agent communications until service restart.
If Mitigated
Minimal impact with proper network segmentation and updated systems.
🎯 Exploit Status
CWE-787 out-of-bounds write vulnerabilities typically require specific memory manipulation knowledge but unauthenticated access lowers barrier.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024 January-2025 Security Update for EPM 2024, 2022 SU6 January-2025 Security Update for EPM 2022 SU6
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
Restart Required: Yes
Instructions:
1. Download the appropriate security update from Ivanti support portal. 2. Apply update to EPM server first. 3. Update EPM agents through console. 4. Restart EPM services. 5. Verify all components show updated versions.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to EPM servers to only trusted management networks and required agent communication ports.
Use firewall rules to limit inbound connections to EPM servers from authorized IP ranges only
Service Monitoring
windowsImplement aggressive service monitoring and automatic restart for EPM services to minimize downtime.
Configure monitoring tools to alert on EPM service crashes and automatically restart services
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure to EPM servers
- Deploy additional monitoring for service crashes and establish rapid response procedures
🔍 How to Verify
Check if Vulnerable:
Check EPM console version under Help > About. If version is before January 2025 security update, system is vulnerable.Check Version:
In EPM console: Help > About displays version informationVerify Fix Applied:
Verify version shows January 2025 security update applied and test EPM functionality remains operational.📡 Detection & Monitoring
Log Indicators:
- EPM service crash events in Windows Event Logs
- Unexpected service termination logs
- Increased error rates in EPM application logs
Network Indicators:
- Unusual traffic patterns to EPM ports (typically 443, 8443)
- Multiple connection attempts from single sources
SIEM Query:
source="windows" AND (event_id=7034 OR event_id=1000) AND process_name="epm*" OR source="ivanti_epm" AND (message="crash" OR message="terminated")