CVE-2024-32844
📋 TL;DR
This SQL injection vulnerability in Ivanti Endpoint Manager allows authenticated administrators to execute arbitrary SQL commands, potentially leading to remote code execution. Organizations using Ivanti EPM versions before the November 2024 security updates are affected. Attackers with admin credentials can exploit this to compromise the EPM server.
💻 Affected Systems
- Ivanti Endpoint Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the EPM server leading to domain-wide endpoint control, credential theft, lateral movement, and data exfiltration.
Likely Case
Attacker gains persistent access to EPM server, deploys malware to managed endpoints, and extracts sensitive system information.
If Mitigated
Limited to SQL data manipulation without RCE if proper input validation and database permissions are enforced.
🎯 Exploit Status
SQL injection to RCE chain requires specific conditions but is feasible. Admin credentials needed for initial access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024 November Security Update or 2022 SU6 November Security Update
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-November-2024-for-EPM-2024-and-EPM-2022
Restart Required: Yes
Instructions:
1. Download the November 2024 security update from Ivanti portal. 2. Apply update to EPM server following Ivanti documentation. 3. Restart EPM services. 4. Verify patch installation through EPM console.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit administrative accounts to only necessary personnel and implement multi-factor authentication.
Network Segmentation
allIsolate EPM server from internet and restrict internal access to trusted management networks only.
🧯 If You Can't Patch
- Implement strict network access controls to EPM server, allowing only from trusted management stations.
- Enable detailed SQL query logging and monitor for suspicious database activity patterns.
🔍 How to Verify
Check if Vulnerable:
Check EPM version in console: Help > About. If version is before November 2024 updates, system is vulnerable.Check Version:
In EPM console: Help > About displays current versionVerify Fix Applied:
Verify version shows November 2024 security update applied. Test admin functions for SQL injection patterns.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in EPM database logs
- Multiple failed login attempts followed by admin access
- Unexpected process creation from EPM server
Network Indicators:
- SQL queries containing suspicious patterns from EPM server IP
- Outbound connections from EPM server to unusual destinations
SIEM Query:
source="epm_logs" AND ("sql injection" OR "exec sp_" OR "xp_cmdshell")