CVE-2024-34787
📋 TL;DR
This CVE describes a path traversal vulnerability in Ivanti Endpoint Manager that allows a local unauthenticated attacker to execute arbitrary code. User interaction is required for exploitation. Affected systems are those running Ivanti Endpoint Manager 2024 before the November 2024 security update or 2022 before SU6 November security update.
💻 Affected Systems
- Ivanti Endpoint Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining administrative privileges, installing persistent malware, and accessing sensitive data across the network.
Likely Case
Local privilege escalation leading to lateral movement within the network and potential data exfiltration.
If Mitigated
Limited impact due to network segmentation and strict access controls preventing lateral movement.
🎯 Exploit Status
Local unauthenticated access combined with user interaction makes this exploitable by attackers with physical or compromised local access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024 November Security Update for EPM 2024 or 2022 SU6 November Security Update for EPM 2022
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-November-2024-for-EPM-2024-and-EPM-2022
Restart Required: Yes
Instructions:
1. Download the appropriate security update from Ivanti support portal. 2. Apply the update following Ivanti's deployment guide. 3. Restart affected systems. 4. Verify successful installation.
🔧 Temporary Workarounds
Restrict local access
allLimit physical and local administrative access to systems running Ivanti EPM
User awareness training
allEducate users about risks of running untrusted applications or clicking suspicious links
🧯 If You Can't Patch
- Implement strict network segmentation to isolate EPM servers from critical systems
- Deploy application whitelisting to prevent execution of unauthorized binaries
🔍 How to Verify
Check if Vulnerable:
Check Ivanti EPM version in administration console or via registry: HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\ManagementSuite\VersionCheck Version:
reg query "HKLM\SOFTWARE\LANDesk\ManagementSuite" /v VersionVerify Fix Applied:
Verify installed version matches patched version (2024 November update or 2022 SU6 November update)📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in EPM logs
- Unexpected process execution from EPM directories
- Failed path traversal attempts in application logs
Network Indicators:
- Unusual outbound connections from EPM servers
- Lateral movement attempts from EPM systems
SIEM Query:
source="epm_logs" AND (event="file_access" OR event="process_execution") AND (path="..\\" OR path="../")