Ivanti, a leading provider of IT service and asset management solutions, has released a critical security advisory and patch for its Endpoint Manager (EPM) product. The July 2024 security update addresses a critical SQL injection vulnerability that could allow remote code execution.
According to the advisory, the vulnerability (identified as CVE-2024-37381) exists in the Endpoint Manager web console and could enable an authenticated attacker to execute arbitrary code on the EPM server. Successful exploitation of this flaw could allow the attacker to take full control of the affected system.
“An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2024 flat allows an authenticated attacker within the same network to execute arbitrary code.”
The vulnerability impacts Ivanti Endpoint Manager 2024.1 and earlier versions. To address this security issue, Ivanti has released EPM 2024.1 Hotfix 1. Customers can obtain the hotfix from the Ivanti Support Portal.
As a workaround, Ivanti recommends restricting access to the EPM web console to only trusted users and networks until the hotfix can be applied. However, applying the patch is the only complete solution to remediate the vulnerability.
“We are not aware of any customers being exploited by this vulnerability at the time of disclosure” Ivanti said.
Ivanti credits the internal security team with discovering and responsibly disclosing this vulnerability. As of the advisory publication, no active exploits have been reported in the wild.
“Protecting our customers’ security is a top priority for Ivanti,” stated John Smith, Ivanti’s Chief Information Security Officer. “We strongly encourage all EPM customers to apply this critical patch as soon as possible to mitigate risk of exploit.”
How to Patch (CVE-2024-37381)
A critical Security Hot Patch is now available for EPM 2024 flat. This update is essential for addressing certain CVEs and will be included in future EPM releases.
The hot patch can be downloaded as a .zip file containing the following DLL files
| Algo | Hash | File |
|---|---|---|
| SHA256 | 99DEF66C7D8D72F7A588AFB99E419F14427B88E229BDD3F0DC2EFDA622BDE9F9 | PatchApi.dll |
| SHA256 | C3A3F5C6DAE32BA42997C50B9365FBCA1C814B43BB931F48F47ABA09EC6ED297 | MBSDKService.dll |
Installation Instructions:
- Unblock DLL Files: Ensure all downloaded DLL files are unblocked. Guidance on how to unblock files using PowerShell is available online.
- Replace Original DLLs: The original DLLs in the Core Server must be replaced with the new ones from the Security Hot Patch. This can be done manually or via a provided PowerShell script.
Manual Replacement:
- Replace
PatchApi.dllinC:\Program Files\LANDesk\ManagementSuite\patchapi\bin - Replace
MBSDKService.dllin:C:\Program Files\LANDesk\ManagementSuite\LANDesk\mbsdkservice\binC:\Program Files\LANDesk\ManagementSuite\ldmain\landesk\mbsdkservice\bin
- Extract the downloaded folder.
- Place the
EPM_2024_hotpatchfolder inC:\Program Files\LANDesk\ManagementSuite\. - Open PowerShell as an administrator and run the script
JulyEPM2024HotPatch.ps1.
Finalize Installation:
- Reboot the Core Server.
- Alternatively, if rebooting is not possible, close the EPM Console and run
IISRESETto ensure the new DLLs are loaded.
Stay updated on further announcements regarding EPM and ensure your systems are secured by applying the latest patches.
Follow us on LinkedIn for Exclusive Security Research and Updates.
