CVE-2024-9845
📋 TL;DR
This vulnerability allows a local authenticated attacker to escalate privileges on systems running vulnerable versions of Ivanti Automation. Attackers with standard user access can gain higher privileges through insecure permissions. Organizations using Ivanti Automation before version 2024.4.0.1 are affected.
💻 Affected Systems
- Ivanti Automation
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where an attacker gains administrative/root privileges, potentially leading to data theft, lateral movement, or persistence establishment.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install malware, or access restricted data and systems.
If Mitigated
Limited impact if proper access controls, least privilege principles, and network segmentation are implemented.
🎯 Exploit Status
Exploitation requires local authenticated access but the vulnerability involves insecure permissions which typically have low exploitation complexity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.4.0.1
Vendor Advisory: https://forums.ivanti.com/s/article/December-2024-Security-Advisory-Ivanti-Automation-CVE-2024-9845
Restart Required: Yes
Instructions:
1. Download Ivanti Automation version 2024.4.0.1 or later from the Ivanti portal. 2. Backup current configuration and data. 3. Install the update following Ivanti's upgrade documentation. 4. Restart the Ivanti Automation services and verify functionality.
🔧 Temporary Workarounds
Restrict Local Access
allLimit local access to Ivanti Automation systems to only authorized administrators.
Implement Least Privilege
allEnsure all users operate with minimum necessary privileges and cannot execute unauthorized privileged operations.
🧯 If You Can't Patch
- Implement strict access controls and monitor for privilege escalation attempts
- Isolate affected systems from critical network segments and implement additional monitoring
🔍 How to Verify
Check if Vulnerable:
Check Ivanti Automation version in administration console or via 'ivanti-automation --version' command.Check Version:
ivanti-automation --versionVerify Fix Applied:
Verify version is 2024.4.0.1 or later and test that standard users cannot perform privileged operations.📡 Detection & Monitoring
Log Indicators:
- Unexpected privilege escalation events
- Unauthorized access to privileged directories or files
- Suspicious process creation with elevated privileges
Network Indicators:
- Unusual outbound connections from Ivanti Automation systems
- Lateral movement attempts from previously low-privilege accounts
SIEM Query:
source="ivanti-automation" AND (event_type="privilege_escalation" OR user_elevation="true")