CVE-2024-29847
Ivanti Endpoint Manager (EPM) Pre-Auth RCE

Le Lab Gatewatcher D

Introduction


 

Remote   
Authenticated   
Default config   
Source  🌍 

 

Affected Versions 

  • EPM 2022 <= SU5 
  • EPM 2024  

Details


On September 10, 2024, Ivanti announced a critical vulnerability (CVSSv3.0: 10), identified as CVE-2024-29847, which allows for remote arbitrary code execution without prior authentication.

For about a year, critical vulnerabilities have continued to emerge across various Ivanti products, with the first in this series likely being CVE-2023-35078 on the EPMM product in July 2023. Given the widespread use of these products by large companies and institutions, they have become prime targets for attackers.

Notable victims of past vulnerabilities include Norwegian government ministries, and more recently MITRE and CISA, underscoring once again that no organization, regardless of its cybersecurity maturity, is immune to this type of attack.

These vulnerabilities are regularly exploited in mass attacks as soon as a functional proof of concept is released.

CVE-2024-29847 is based on the deserialization of untrusted data (CWE-502). Deserialization is the process of converting data from a stored or transmitted format (such as JSON, XML, etc.) into an object or data structure that can be used by a program. It allows an object to be recreated from a previously serialized data string.

However, if the received data is malicious or insufficiently sanitized, it can lead to denial of service, data modification, or, in this specific case, arbitrary code execution.

The vulnerability, reported by Sina Kheirkhah (@SinSinology), is based on James Forshaw’s work on .NET Remoting exploitation, as Kheirkhah himself noted in his publication.

Furthermore, Microsoft considers .NET Remoting to be insecure and recommends migrating to WCF (Windows Communication Foundation).

Detection


Vulnerabilities such as CVE-2024-29847 are relatively difficult to detect due to the numerous possible attack vectors.

Although no public detection rules were available at the time of writing, based on the published proof of concept, Gatewatcher is able to provide rules that allow for the detection of exploitation attempts related to this CVE.

These detection rules are based on identifying specific steps and characteristics of the requests to minimize false positives:

 

alert tcp any any -> any any (msg:”GWLAB CURR_EVT Step 1″; flow:established,to_server; content:”Register”; content:”ILease”; distance: 40; content: “System.Collections.IEqualityComparer”; distance:100; content:”System.IConvertible”; distance:0; content: “tcp://”; distance:0; xbits: set,remoting_ilease_connectback, track ip_pair, expire 300; noalert; reference: cve,CVE-2024-29847; metadata: provider Gatewatcher,  signature_severity Informational; sid:1000001; rev: 1; )  

  

alert tcp any any -> any any (msg:”GWLab CURR_EVT Step2 low bypass”; flow: established; xbits: isset,remoting_ilease_connectback, track ip_pair; content:”ToType”; content:”System.IConvertible”; distance: 0; xbits: set, remoting_ilease_step2, track ip_pair, expire 300; noalert; reference: cve,CVE-2024-29847; metadata: provider Gatewatcher,  signature_severity Informational;  sid: 1000002; rev:1;)  

  

alert tcp any any -> any any (msg:”GWLab CURR_EVT Step3 FileInfo”; flow: established,to_client; xbits: isset, remoting_ilease_connectback,track ip_pair; xbits: isset, remoting_ilease_step2, track ip_pair; content:”System.IO.FileInfo”; content:”OriginalPath|08|FullPath”; distance: 0; content:”LANDesk|5C|ManagementSuite”; distance: 0; xbits: set, remoting_ilease_fileinfo, track ip_pair, expire 300; noalert; reference: cve,CVE-2024-29847; metadata: provider Gatewatcher,  signature_severity Informational; sid: 1000003; rev:1;)  

  

alert tcp any any -> any any (msg:”GWLab CURR_EVT Possible Ivanti EPM RCE attempt “; flow: established,to_client; xbits: isset, remoting_ilease_connectback,track ip_pair; xbits: isset, remoting_ilease_step2, track ip_pair; xbits: isset, remoting_ilease_fileinfo, track ip_pair; content:”System.IO.FileInfo”; content:”OriginalPath|08|FullPath”; distance: 0; content:”LANDesk|5C|ManagementSuite”; distance: 0; content:”System.Collections.IEqualityComparer”; distance: 0; xbits: unset,remoting_ilease_connectback, track ip_pair; xbits: unset,remoting_ilease_step2, track ip_pair; xbits: unset,remoting_ilease_fileinfo, track ip_pair; reference: cve,CVE-2024-29847; metadata: provider Gatewatcher,  signature_severity Critical; sid: 1000004; rev:1;) 

 

Since each environment is unique, it is essential to test these rules before deploying them in production.

 

Correction


The vendor has already released the necessary patches, with details of the fixed versions available in the security bulletin.

Ivanti does not offer any workaround in cases where updating is not immediately possible.

In light of the recent rise in vulnerabilities and the growing interest of cybercriminals in exploiting vulnerable Ivanti instances, it is recommended to apply the patches as soon as possible and to verify that these instances have not been compromised before patching.

Finally, it should be noted that, according to the company’s communication, the multiple vulnerabilities discovered recently are the result of ongoing efforts to enhance the security of their products.