CVE-2024-29830
📋 TL;DR
This SQL injection vulnerability in Ivanti EPM Core server allows authenticated attackers on the same network to execute arbitrary SQL commands, potentially leading to remote code execution. It affects Ivanti EPM 2022 SU5 and earlier versions. Only authenticated users within the same network segment can exploit this vulnerability.
💻 Affected Systems
- Ivanti Endpoint Manager (EPM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the Ivanti EPM server leading to domain-wide privilege escalation, data exfiltration, and deployment of persistent backdoors across managed endpoints.
Likely Case
Database compromise allowing extraction of credentials, configuration data, and potentially executing commands on the EPM server.
If Mitigated
Limited to authenticated users only, with network segmentation preventing lateral movement and proper input validation blocking exploitation attempts.
🎯 Exploit Status
Requires authenticated access and SQL injection knowledge. The 'arbitrary code execution' suggests SQL injection leads to RCE through stored procedures or similar mechanisms.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2022 SU6 or later
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-May-2024
Restart Required: Yes
Instructions:
1. Download Ivanti EPM 2022 SU6 or later from Ivanti portal. 2. Backup EPM database and configuration. 3. Run the installer on the Core server. 4. Restart the EPM services. 5. Verify all components are functioning correctly.
🔧 Temporary Workarounds
Network Segmentation
allRestrict access to Ivanti EPM Core server to only necessary administrative workstations and servers
Principle of Least Privilege
allReview and minimize user accounts with administrative access to Ivanti EPM
🧯 If You Can't Patch
- Implement strict network access controls to limit which systems can communicate with the EPM Core server
- Enable detailed SQL query logging and monitor for unusual database activity patterns
🔍 How to Verify
Check if Vulnerable:
Check Ivanti EPM version in Administration Console > About. If version is 2022 SU5 or earlier, the system is vulnerable.Check Version:
In Ivanti EPM Administration Console, navigate to Help > About to view version informationVerify Fix Applied:
Verify version shows 2022 SU6 or later in Administration Console > About. Test EPM functionality to ensure patch didn't break core operations.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL query patterns in EPM database logs
- Multiple failed authentication attempts followed by complex SQL queries
- Unexpected stored procedure executions
Network Indicators:
- Unusual database connection patterns to EPM server
- SQL injection patterns in HTTP requests to EPM web interface
SIEM Query:
source="epm_logs" AND ("sql injection" OR "union select" OR "xp_cmdshell" OR "exec(")