CVE-2024-29847
Ivanti Endpoint Manager (EPM) Pre-Auth RCE
Introduction
Remote | ✅ |
Authenticated | ❌ |
Default config | ❌ |
Source | 🌍 |
Affected Versions
- EPM 2022 <= SU5
- EPM 2024
Details
On September 10, 2024, Ivanti announced a critical vulnerability (CVSSv3.0: 10), identified as CVE-2024-29847, which allows for remote arbitrary code execution without prior authentication.
For about a year, critical vulnerabilities have continued to emerge across various Ivanti products, with the first in this series likely being CVE-2023-35078 on the EPMM product in July 2023. Given the widespread use of these products by large companies and institutions, they have become prime targets for attackers.
Notable victims of past vulnerabilities include Norwegian government ministries, and more recently MITRE and CISA, underscoring once again that no organization, regardless of its cybersecurity maturity, is immune to this type of attack.
These vulnerabilities are regularly exploited in mass attacks as soon as a functional proof of concept is released.
CVE-2024-29847 is based on the deserialization of untrusted data (CWE-502). Deserialization is the process of converting data from a stored or transmitted format (such as JSON, XML, etc.) into an object or data structure that can be used by a program. It allows an object to be recreated from a previously serialized data string.
However, if the received data is malicious or insufficiently sanitized, it can lead to denial of service, data modification, or, in this specific case, arbitrary code execution.
The vulnerability, reported by Sina Kheirkhah (@SinSinology), is based on James Forshaw’s work on .NET Remoting exploitation, as Kheirkhah himself noted in his publication.
Furthermore, Microsoft considers .NET Remoting to be insecure and recommends migrating to WCF (Windows Communication Foundation).
Detection
Vulnerabilities such as CVE-2024-29847 are relatively difficult to detect due to the numerous possible attack vectors.
Although no public detection rules were available at the time of writing, based on the published proof of concept, Gatewatcher is able to provide rules that allow for the detection of exploitation attempts related to this CVE.
These detection rules are based on identifying specific steps and characteristics of the requests to minimize false positives:
alert tcp any any -> any any (msg:”GWLAB CURR_EVT Step 1″; flow:established,to_server; content:”Register”; content:”ILease”; distance: 40; content: “System.Collections.IEqualityComparer”; distance:100; content:”System.IConvertible”; distance:0; content: “tcp://”; distance:0; xbits: set,remoting_ilease_connectback, track ip_pair, expire 300; noalert; reference: cve,CVE-2024-29847; metadata: provider Gatewatcher, signature_severity Informational; sid:1000001; rev: 1; )
alert tcp any any -> any any (msg:”GWLab CURR_EVT Step2 low bypass”; flow: established; xbits: isset,remoting_ilease_connectback, track ip_pair; content:”ToType”; content:”System.IConvertible”; distance: 0; xbits: set, remoting_ilease_step2, track ip_pair, expire 300; noalert; reference: cve,CVE-2024-29847; metadata: provider Gatewatcher, signature_severity Informational; sid: 1000002; rev:1;)
alert tcp any any -> any any (msg:”GWLab CURR_EVT Step3 FileInfo”; flow: established,to_client; xbits: isset, remoting_ilease_connectback,track ip_pair; xbits: isset, remoting_ilease_step2, track ip_pair; content:”System.IO.FileInfo”; content:”OriginalPath|08|FullPath”; distance: 0; content:”LANDesk|5C|ManagementSuite”; distance: 0; xbits: set, remoting_ilease_fileinfo, track ip_pair, expire 300; noalert; reference: cve,CVE-2024-29847; metadata: provider Gatewatcher, signature_severity Informational; sid: 1000003; rev:1;)
alert tcp any any -> any any (msg:”GWLab CURR_EVT Possible Ivanti EPM RCE attempt “; flow: established,to_client; xbits: isset, remoting_ilease_connectback,track ip_pair; xbits: isset, remoting_ilease_step2, track ip_pair; xbits: isset, remoting_ilease_fileinfo, track ip_pair; content:”System.IO.FileInfo”; content:”OriginalPath|08|FullPath”; distance: 0; content:”LANDesk|5C|ManagementSuite”; distance: 0; content:”System.Collections.IEqualityComparer”; distance: 0; xbits: unset,remoting_ilease_connectback, track ip_pair; xbits: unset,remoting_ilease_step2, track ip_pair; xbits: unset,remoting_ilease_fileinfo, track ip_pair; reference: cve,CVE-2024-29847; metadata: provider Gatewatcher, signature_severity Critical; sid: 1000004; rev:1;)
Since each environment is unique, it is essential to test these rules before deploying them in production.