A recent investigation by Horizon3.ai has unveiled four critical vulnerabilities in the Ivanti Endpoint Manager (EPM).
These vulnerabilities, identified as CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159, allow unauthenticated attackers to coerce machine account credentials for potential relay attacks, posing a significant risk of server compromise.
Unauthenticated Attackers Can Exploit Vulnerabilities for Server Compromise
The vulnerabilities stem from the Ivanti EPM’s .NET application architecture, specifically within the WSVulnerabilityCore.dll file located in the C:\Program Files\LANDesk\ManagementSuite directory.
The exposed APIs related to vulnerability management fail to validate user input adequately, enabling attackers to manipulate parameters in a manner that could lead to unauthorized access and exploitation of the system.
CVE-2024-13159 highlights a critical flaw in the GetHashForWildcardRecursive() method.
This method accepts a user-controlled string argument called “wildcard,” which is subsequently processed without proper validation.
An attacker can craft a malicious input that directs the EPM server to a remote UNC path, allowing for unauthorized file access and potential credential harvesting.
Similarly, CVE-2024-13160 involves the GetHashForWildcard() method, which also fails to validate user input effectively.
By exploiting this vulnerability, an attacker can coax the Ivanti EPM server into reaching out to a remote UNC path using crafted input.
Technical Details
CVE-2024-13161 and CVE-2024-10811 further compound the issue by exposing methods that allow unauthenticated users to interact with potentially dangerous functionalities.
The GetHashForSingleFile() method suggests that it may expect a UNC path as input, but its unauthenticated access creates a significant security risk.
The same is true for the GetHashForFile() method, which inherits similar vulnerabilities.
Horizon3.ai has provided proof-of-concept exploits demonstrating how these vulnerabilities can be leveraged in real-world attack scenarios.
For instance, attackers could utilize tools like ntlmrelayx to relay credentials and create unauthorized machine accounts or gain delegated admin access.
This could lead to further compromises of not only the Ivanti EPM server but also all managed clients.
The timeline of disclosure reveals that Horizon3.ai reported these vulnerabilities to Ivanti on October 15, 2024.
Following validation by Ivanti on October 17, a patch was released on January 13, 2025.
The public disclosure of these vulnerabilities serves as a critical reminder of the importance of secure coding practices and robust input validation mechanisms in software development.
Organizations using Ivanti EPM are urged to apply the latest patches immediately and assess their systems for potential exposure to these vulnerabilities.
The incident underscores the necessity for continuous security assessments and proactive measures to safeguard against emerging threats in enterprise environments.
.){kind=link}