CVE-2024-13169
📋 TL;DR
This vulnerability allows a local authenticated attacker to perform an out-of-bounds read in Ivanti Endpoint Manager (EPM), potentially leading to privilege escalation. It affects Ivanti EPM 2024 and 2022 SU6 versions before the January 2025 security updates. Attackers must already have local access to the system to exploit this vulnerability.
💻 Affected Systems
- Ivanti Endpoint Manager (EPM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker gains full administrative privileges on the system, potentially compromising the entire EPM deployment and connected endpoints.
Likely Case
An authenticated user with limited privileges escalates to higher privileges within the EPM system, enabling unauthorized configuration changes or data access.
If Mitigated
With proper access controls and monitoring, exploitation would be detected and contained before significant damage occurs.
🎯 Exploit Status
Exploitation requires local authenticated access and understanding of memory manipulation techniques. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: EPM 2024 January 2025 Security Update, EPM 2022 SU6 January 2025 Security Update
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
Restart Required: No
Instructions:
1. Download the appropriate security update from the Ivanti support portal. 2. Apply the update to all EPM servers and clients. 3. Verify successful installation through the EPM console.
🔧 Temporary Workarounds
Restrict Local Access
allLimit local login access to EPM systems to only authorized administrators
🧯 If You Can't Patch
- Implement strict principle of least privilege for all EPM user accounts
- Enable detailed auditing and monitoring of privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check EPM version in the console: Settings > About. If version is before the January 2025 security updates, the system is vulnerable.Check Version:
In EPM console: Navigate to Settings > About to view version informationVerify Fix Applied:
Verify the installed version shows the January 2025 security update in the EPM console About section.📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation events in EPM audit logs
- Multiple failed privilege elevation attempts followed by success
Network Indicators:
- Unusual authentication patterns from specific workstations to EPM servers
SIEM Query:
source="epm_logs" AND (event_type="privilege_escalation" OR event_type="authentication_success") AND user NOT IN admin_users