CVE-2024-37397
📋 TL;DR
An unauthenticated attacker can exploit an XML External Entity (XXE) vulnerability in Ivanti EPM's provisioning web service to read sensitive files, including API secrets. This affects Ivanti EPM versions before 2022 SU6 and before the September 2024 update. Remote attackers can access the system without credentials.
💻 Affected Systems
- Ivanti Endpoint Manager (EPM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the EPM server through leaked API secrets, leading to lateral movement, privilege escalation, and potential domain takeover.
Likely Case
Exfiltration of API secrets and sensitive configuration files, enabling further attacks against integrated systems.
If Mitigated
Limited impact if network segmentation and strict access controls prevent external access to the vulnerable service.
🎯 Exploit Status
XXE vulnerabilities are well-understood with readily available exploitation tools. The unauthenticated nature makes this particularly dangerous.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2022 SU6 or September 2024 update
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022
Restart Required: Yes
Instructions:
1. Download the appropriate patch from Ivanti's support portal. 2. Apply the patch following Ivanti's installation guide. 3. Restart the EPM server and verify the service is running correctly.
🔧 Temporary Workarounds
Disable External Entity Processing
allConfigure XML parsers to disable external entity resolution
Modify XML parser configuration to set features: FEATURE_SECURE_PROCESSING=true, disallow-doctype-decl=true
Network Segmentation
allRestrict access to the provisioning web service port (typically 443 or 8443)
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_IP" port protocol="tcp" port="8443" accept'
netsh advfirewall firewall add rule name="Block EPM External" dir=in action=block protocol=TCP localport=8443 remoteip=any
🧯 If You Can't Patch
- Implement strict network access controls to limit access to the EPM provisioning service to trusted IPs only.
- Deploy a web application firewall (WAF) with XXE protection rules in front of the EPM server.
🔍 How to Verify
Check if Vulnerable:
Check the EPM version via the web interface or by examining installed programs. Versions before 2022 SU6 or without September 2024 update are vulnerable.Check Version:
On Windows: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*Ivanti Endpoint Manager*"} | Select-Object Name, VersionVerify Fix Applied:
Verify the installed version shows 2022 SU6 or later, or confirm the September 2024 update is applied. Test with a controlled XXE payload to ensure it's blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual XML payloads in web server logs containing SYSTEM or ENTITY declarations
- Multiple failed authentication attempts followed by XML requests to provisioning endpoints
Network Indicators:
- HTTP POST requests to /provisioning/* endpoints with XML content containing external entity references
- Outbound connections from EPM server to unexpected external IPs
SIEM Query:
source="epm-webserver" AND (url="*/provisioning/*" AND request_body="*<!ENTITY*" OR request_body="*SYSTEM*")