CVE-2024-29828
📋 TL;DR
An authenticated SQL injection vulnerability in Ivanti EPM Core server allows attackers on the same network to execute arbitrary code. This affects Ivanti EPM 2022 SU5 and earlier versions. Attackers must have valid credentials and network access to exploit this vulnerability.
💻 Affected Systems
- Ivanti Endpoint Manager (EPM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining administrative privileges, data exfiltration, and lateral movement across the network.
Likely Case
Database compromise leading to sensitive information disclosure, privilege escalation, and potential code execution on the EPM server.
If Mitigated
Limited impact with proper network segmentation, strong authentication controls, and input validation preventing successful exploitation.
🎯 Exploit Status
SQL injection vulnerabilities typically have low exploitation complexity once the injection point is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2022 SU6 or later
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-May-2024
Restart Required: Yes
Instructions:
1. Download the latest patch from Ivanti support portal. 2. Apply the patch to all affected EPM Core servers. 3. Restart the EPM services. 4. Verify the patch was successfully applied.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to EPM Core servers to only authorized management systems and administrators.
Input Validation Enhancement
allImplement additional input validation and parameterized queries at the application layer.
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the EPM Core server
- Enhance monitoring and logging of SQL queries and authentication attempts to the EPM system
🔍 How to Verify
Check if Vulnerable:
Check Ivanti EPM version in the administration console. If version is 2022 SU5 or earlier, the system is vulnerable.Check Version:
Check Ivanti EPM Console → Help → About for version informationVerify Fix Applied:
Verify the EPM version shows 2022 SU6 or later in the administration console after patching.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL query patterns in EPM logs
- Multiple failed authentication attempts followed by successful login
- Unexpected database schema modifications
Network Indicators:
- Unusual SQL traffic patterns to EPM database
- Multiple SQL error responses from EPM server
SIEM Query:
source="epm_logs" AND (sql_error OR sql_injection OR "unexpected query")