CVE-2024-29821
📋 TL;DR
This vulnerability in Ivanti DSM allows authenticated local users to execute arbitrary code with elevated privileges due to insecure access control lists. Attackers can escalate privileges from a standard user account to SYSTEM/root level access. Only Ivanti DSM installations before version 2024.2 are affected.
💻 Affected Systems
- Ivanti DSM (Device and Application Management)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attackers gaining SYSTEM/root privileges, installing persistent backdoors, accessing all data, and pivoting to other systems in the network.
Likely Case
Privilege escalation leading to credential theft, lateral movement within the network, and deployment of ransomware or other malware.
If Mitigated
Limited impact if proper network segmentation, least privilege principles, and monitoring are in place, though local privilege escalation remains possible.
🎯 Exploit Status
Exploitation requires authenticated local access but is likely straightforward once access is obtained. No public exploit code available as of analysis.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.2
Vendor Advisory: https://forums.ivanti.com/s/article/SA-2024-07-12-CVE-2024-29821
Restart Required: Yes
Instructions:
1. Download Ivanti DSM version 2024.2 from the Ivanti portal. 2. Backup current configuration and data. 3. Run the installer to upgrade to version 2024.2. 4. Restart the system as prompted. 5. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Restrict Local User Access
allLimit local user accounts on systems running Ivanti DSM to only essential administrative users.
Implement Least Privilege
allEnsure all local user accounts have minimal privileges and cannot execute arbitrary programs.
🧯 If You Can't Patch
- Isolate Ivanti DSM systems on separate network segments to limit lateral movement
- Implement strict monitoring for privilege escalation attempts and unusual process execution
🔍 How to Verify
Check if Vulnerable:
Check Ivanti DSM version in the administration console or via command line: On Windows: Check program version in Control Panel > Programs. On Linux: Check package version with package manager.Check Version:
Windows: wmic product where name='Ivanti DSM' get version. Linux: rpm -qa | grep ivanti-dsm or dpkg -l | grep ivanti-dsmVerify Fix Applied:
Verify version shows 2024.2 or later in the Ivanti DSM administration interface or via version check commands.📡 Detection & Monitoring
Log Indicators:
- Unusual process execution with SYSTEM privileges
- Failed privilege escalation attempts
- Unauthorized access to sensitive directories
Network Indicators:
- Unusual outbound connections from Ivanti DSM system
- Lateral movement attempts from the system
SIEM Query:
source='*ivanti*' AND (event_id=4688 OR process_name='*system*') AND user!='SYSTEM'