CVE-2024-13168
📋 TL;DR
An out-of-bounds write vulnerability in Ivanti Endpoint Manager (EPM) allows remote unauthenticated attackers to cause denial of service by crashing the service. This affects Ivanti EPM 2024 versions before the January 2025 security update and EPM 2022 SU6 versions before the January 2025 security update.
💻 Affected Systems
- Ivanti Endpoint Manager (EPM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of Ivanti EPM management infrastructure, preventing endpoint management and security operations across the organization.
Likely Case
Service crashes leading to temporary loss of endpoint management capabilities until service restart.
If Mitigated
Minimal impact with proper network segmentation and access controls preventing external exploitation.
🎯 Exploit Status
The vulnerability requires crafting specific network requests to trigger the out-of-bounds write condition. No authentication is required for exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: EPM 2024 January 2025 Security Update, EPM 2022 SU6 January 2025 Security Update
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
Restart Required: Yes
Instructions:
1. Download the appropriate security update from Ivanti's support portal. 2. Apply the update to all EPM servers. 3. Restart the EPM services. 4. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to Ivanti EPM servers to only trusted management networks
Firewall Rules
allImplement firewall rules to block external access to EPM service ports
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the EPM servers
- Monitor EPM service health and implement automated restart procedures for service crashes
🔍 How to Verify
Check if Vulnerable:
Check Ivanti EPM version against affected versions listed in the security advisoryCheck Version:
Check EPM console or server properties for version informationVerify Fix Applied:
Verify the installed version matches or exceeds the patched versions mentioned in the advisory📡 Detection & Monitoring
Log Indicators:
- EPM service crash events in Windows Event Logs
- Unexpected service restarts
- Access attempts from unusual sources
Network Indicators:
- Unusual traffic patterns to EPM service ports
- Multiple connection attempts followed by service unavailability
SIEM Query:
source="windows" AND (event_id=7034 OR event_id=1000) AND process_name="epm*" OR source="firewall" AND dest_port IN (EPM_service_ports) AND action="block"