CVE-2024-7612
📋 TL;DR
This vulnerability allows local authenticated attackers to modify sensitive components in Ivanti EPMM due to insecure permissions. Organizations running Ivanti EPMM versions before 12.1.0.4 are affected. Attackers must have local access and authentication to exploit this weakness.
💻 Affected Systems
- Ivanti Endpoint Manager Mobile (EPMM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the EPMM system allowing attackers to modify critical components, potentially leading to data exfiltration, system takeover, or lateral movement within the network.
Likely Case
Unauthorized modification of application components leading to privilege escalation, configuration changes, or disruption of mobile device management services.
If Mitigated
Limited impact due to proper access controls, network segmentation, and monitoring preventing successful exploitation even if vulnerability exists.
🎯 Exploit Status
Exploitation requires local authenticated access. The CWE-732 (Incorrect Permission Assignment) suggests straightforward exploitation once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.1.0.4
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2024-7612
Restart Required: Yes
Instructions:
1. Download Ivanti EPMM version 12.1.0.4 from Ivanti support portal. 2. Backup current configuration and data. 3. Apply the update following Ivanti's upgrade documentation. 4. Restart the EPMM services or server as required.
🔧 Temporary Workarounds
Restrict Local Access
allLimit local access to EPMM systems to only authorized administrators
Enhanced Monitoring
allImplement strict monitoring of file permission changes and unauthorized access attempts
🧯 If You Can't Patch
- Implement strict access controls limiting local authentication to essential personnel only
- Deploy enhanced monitoring and alerting for unauthorized file modifications and permission changes
🔍 How to Verify
Check if Vulnerable:
Check EPMM version in administration console or via command line. Versions below 12.1.0.4 are vulnerable.Check Version:
Check EPMM web interface or consult Ivanti documentation for version verification commands specific to your deployment.Verify Fix Applied:
Verify EPMM version is 12.1.0.4 or later in administration console. Check that permission settings for sensitive components are properly configured.📡 Detection & Monitoring
Log Indicators:
- Unauthorized permission changes
- Unexpected file modifications in EPMM directories
- Failed authentication attempts followed by successful local logins
Network Indicators:
- Unusual administrative access patterns to EPMM management interfaces
SIEM Query:
source="epmm" AND (event_type="permission_change" OR event_type="file_modification") AND user NOT IN (authorized_admin_list)