CVE-2024-32842
📋 TL;DR
This is an SQL injection vulnerability in Ivanti Endpoint Manager (EPM) that allows authenticated administrators to execute arbitrary SQL commands, potentially leading to remote code execution. It affects Ivanti EPM versions before the 2022 SU6 update and before the September 2024 update for EPM 2024. Attackers need admin-level credentials to exploit this vulnerability.
💻 Affected Systems
- Ivanti Endpoint Manager (EPM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the EPM server, potentially leading to lateral movement across the network, data exfiltration, and persistent backdoor installation.
Likely Case
Attackers with stolen or compromised admin credentials could execute arbitrary code on the EPM server, potentially accessing sensitive endpoint management data and using the server as a pivot point for further attacks.
If Mitigated
With proper credential management and network segmentation, impact is limited to the EPM server itself, though sensitive endpoint management data could still be compromised.
🎯 Exploit Status
SQL injection vulnerabilities are typically straightforward to exploit once discovered, but this requires admin credentials which adds a barrier to entry.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2022 SU6 for EPM 2022, September 2024 update for EPM 2024
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022
Restart Required: Yes
Instructions:
1. Download the appropriate patch from Ivanti's support portal. 2. Backup your EPM database and configuration. 3. Apply the patch following Ivanti's installation guide. 4. Restart the EPM services. 5. Verify the patch was applied successfully.
🔧 Temporary Workarounds
Network Segmentation
allRestrict access to the EPM web interface to only trusted administrative networks
Credential Hardening
allImplement strong password policies, multi-factor authentication, and regular credential rotation for EPM admin accounts
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the EPM web interface
- Monitor EPM admin account usage and implement alerting for unusual login patterns or SQL query activity
🔍 How to Verify
Check if Vulnerable:
Check your Ivanti EPM version in the EPM console under Help > About. Compare against affected versions listed in the advisory.Check Version:
In EPM console: Navigate to Help > About to view version informationVerify Fix Applied:
After patching, verify the version number has been updated to 2022 SU6 or later for EPM 2022, or September 2024 update or later for EPM 2024.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL query patterns in EPM database logs
- Multiple failed login attempts followed by successful admin login
- Unusual process execution from EPM service accounts
Network Indicators:
- Unusual outbound connections from EPM server
- SQL injection patterns in web traffic to EPM interface
SIEM Query:
source="epm_logs" AND (event_type="sql_error" OR event_type="authentication" AND user="admin" AND result="success")