POC Released for Critical Ivanti Vulnerability CVE-2024-29847

By Adversary Tactics and Intelligence Team

Estimated Reading Time: 3 minutes

Proof-of-concept – Ivanti Endpoint Manager – CVE-2024-29847 – Remote Code Execution – All Industries

Source Material: The Summoning Team | Targeted Industries: All

The Rundown

A proof-of-concept (POC) exploit has been released for a critical Ivanti Endpoint Manager vulnerability, CVE-2024-29847, exposing systems to potential remote code execution. 

Attackers could weaponize the POC exploit code to exploit the vulnerability to install malware, such as a web shell, posing a severe risk to sensitive data and operations. Even with a patch available, the release of exploit code makes swift action by organizations crucial to prevent breaches​​. 

If you have questions or feedback about this intelligence, you can submit them here.

The Summoning Team (aka Sina Kheirkhah) has released a technical analysis and a proof-of-concept for a critical (10.0) remote code execution (RCE) vulnerability in Ivanti Endpoint Manager tracked as CVE-2024-29847. However, the Summoning Team has compiled the proof-of-concept code in an executable, thereby making it harder for an attacker to further modify it for malicious purposes.

CVE-2024-29847 is a deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.

On September 10, Ivanti released a patch that addresses this vulnerability.

The vulnerability lies in the AgentPortal.exe executable, which constructs a URL with a dynamically assigned port and no security enforcement and saves it to the registry. However, this URL uses the deprecated Microsoft .NET Remoting framework to facilitate communication between remote objects.

Exploitation involves an attacker crafting a hashtable containing serialized objects to send to the vulnerable endpoint. Upon deserialization, the hashtable executes arbitrary operations by calling methods on the DirectoryInfo or FileInfo objects. These enable the attacker to perform file operations such as reading or writing files on the server, including web shells that can execute arbitrary code. 

Actions & Recommendations

Deepwatch experts continuously monitor for threats to our customers and their environments. The Adversary Tactics and Intelligence team regularly develops and updates detection signatures and adds malicious observables to our indicator feeds based on our intelligence analysis of the source material. We also use this intelligence to conduct threat hunting. However, Deepwatch experts can not discover all activity due to limitations in the log sources that Deepwatch receives.

We recommend the following actions to enhance cyber resilience:

  • Regularly update and patch systems: Ensure all software and systems are regularly updated and patched to protect against known vulnerabilities and perform routine vulnerability assessments and penetration tests to identify and address potential security weaknesses.

Technical Artifacts

We recommend that all customers retrospectively hunt for malicious activity, which will likely indicate compromise, using the Be On the Lookout (BOLO) guidance provided below:

  • Rare/anomalous process execution activity relating to AgentPortal.exe
    • Baseline allowed child processes should be ping.exe and tracert.exe
  • Rare/anomalous connections to the AgentPortal address
    • Ex: tcp://192.168.0[.]200:49669/LDSM
  • Rare/anomalous lateral traffic from impacted appliances that may indicate lateral movement or reconnaissance

Share

LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog