A proof-of-concept (PoC) exploit for CVE-2024-29847, a vital distant code execution (RCE) vulnerability in Ivanti Endpoint Supervisor, is now publicly launched, making it essential to replace units.
The flaw is a deserialization of untrusted information problem impacting Ivanti Endpoint Supervisor earlier than 2022 SU6 and EPM 2024, which was mounted as a part of the September 2024 replace on September 10, 2024.
The vulnerability was found by safety researcher Sina Kheirkhah (@SinSinology), who reported it by way of the Zero Day Initiative (ZDI) on Could 1, 2024.
The identical researcher has now printed the complete particulars on how CVE-2024-29847 may be exploited, which can seemingly gas assaults within the wild.
The CVE-2024-29847 flaw
The basis reason behind the flaw lies within the insecure deserialization inside the AgentPortal.exe executable, particularly, the OnStart technique of the service, which makes use of the deprecated Microsoft .NET Remoting framework to facilitate communication between distant objects.
The service registers a TCP channel with dynamically assigned ports and no safety enforcement, making it doable for a distant attacker to inject malicious objects.
Kheirkhah’s assault movement includes crafting a Hashtable containing serialized objects to ship to the weak endpoint, which, upon deserialization, executes arbitrary operations by calling strategies on the DirectoryInfo or FileInfo objects.
These allow the attacker to carry out file operations reminiscent of studying or writing recordsdata on the server, together with net shells that may execute arbitrary code.
It’s famous within the write-up {that a} low-type filter restricts which objects may be deserialized. Nonetheless, utilizing a method described by James Forshaw, it is doable to bypass the safety mechanism.
Supply: summoning.workforce
Patch now!
Ivanti has made a safety ‘scorching patch’ out there for EPM 2022 and 2024, with SU6 and September 2024 updates, respectively.
The seller affords no different mitigations or workarounds, so making use of the safety replace within the bulletin is the one advice.
In January, CISA warned {that a} vital authentication bypass vulnerability in Ivanti’s Endpoint Supervisor Cell product was actively exploited in assaults.
Final week, Ivanti confirmed that hackers are actively exploiting a high-severity distant code execution flaw, tracked as CVE-2024-8190, in its Cloud Companies Equipment (CSA).
CISA additionally added the flaw to its Recognized Exploited Vulnerabilities catalog, setting the deadline to safe weak home equipment to October 4, 2024.