CVE-2024-8320
📋 TL;DR
This vulnerability allows remote unauthenticated attackers to spoof the Network Isolation status of managed devices in Ivanti EPM. Attackers can make vulnerable systems appear isolated when they are not, potentially bypassing security controls. Organizations using Ivanti EPM before the specified updates are affected.
💻 Affected Systems
- Ivanti Endpoint Manager (EPM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass network isolation controls entirely, allowing compromised devices to communicate freely across the network and potentially spread malware or exfiltrate data while appearing isolated.
Likely Case
Attackers spoof isolation status to bypass security monitoring and containment measures, enabling lateral movement or data exfiltration from supposedly isolated devices.
If Mitigated
With proper network segmentation and additional authentication layers, the impact is limited to potential confusion about device isolation status without enabling full network access.
🎯 Exploit Status
The vulnerability description indicates remote unauthenticated exploitation is possible, suggesting relatively straightforward attack vectors.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2022 SU6 for EPM 2022, September 2024 update for EPM 2024
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022
Restart Required: Yes
Instructions:
1. Download the appropriate update from Ivanti's support portal. 2. Apply the update to your EPM server. 3. Restart the EPM service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable Network Isolation Feature
allTemporarily disable the Network Isolation feature in Ivanti EPM until patches can be applied.
Navigate to EPM console > Security Settings > Network Isolation > Disable
Implement Network Access Control
allUse firewall rules or network segmentation to restrict access to EPM management interfaces.
Configure firewall to restrict access to EPM ports (typically 80, 443, 8443) to trusted IPs only
🧯 If You Can't Patch
- Implement strict network segmentation to isolate EPM management interfaces from untrusted networks
- Deploy additional authentication mechanisms (MFA, certificate-based auth) for EPM access
🔍 How to Verify
Check if Vulnerable:
Check Ivanti EPM version in the console: Admin > About. If version is before 2022 SU6 (for EPM 2022) or before September 2024 update (for EPM 2024), the system is vulnerable.Check Version:
In EPM console: Admin > About displays current versionVerify Fix Applied:
After applying updates, verify the version shows 2022 SU6 or later (for EPM 2022) or post-September 2024 (for EPM 2024). Test Network Isolation functionality to ensure proper authentication.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated access attempts to Network Isolation endpoints
- Unexpected changes to device isolation status
- Failed authentication events followed by isolation status modifications
Network Indicators:
- Unusual traffic patterns from supposedly isolated devices
- Network isolation API calls from untrusted sources
SIEM Query:
source="ivanti_epm" AND (event_type="network_isolation_change" AND auth_status="failed")