www.belgium.be Logo of the federal government

WARNING: IVANTI PATCHED MULTIPLE VULNERABILITIES IN IVANTI EPM, IVANTI APPLICATION CONTROL ENGINE AND IVANTI AVALANCHE, PATCH IMMEDIATELY!

Referentie: 
Advisory #2025-012
Versie: 
3.0
Geïmpacteerde software: 
Ivanti EPM
Ivanti Application Control Engine
Ivanti Avalanche
Type: 
Multiple types, including Path traversal vulnerabilities
CVE/CVSS: 

Ivanti EPM

  • CVE-2024-10811: CVSS 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
  • CVE-2024-13161: CVSS 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
  • CVE-2024-13160: CVSS 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
  • CVE-2024-13159: CVSS 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Ivanti Application Control Engine

  • CVE-2024-10630: CVSS 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Ivanti Avalanche

  • CVE-2024-13181: CVSS 7.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
  • CVE-2024-13180: CVSS 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
  • CVE-2024-13179: CVSS 7.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Datum: 
15/01/2025

Bronnen

Ivanti EPM - https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US

Ivanti Application Control Engine - https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Application-Control-Engine-CVE-2024-10630?language=en_US

Ivanti Avalanche - https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-6-4-7-Multiple-CVEs?language=en_US

Risico’s

Ivanti released three vulnerability advisories for Ivanti EPM, Ivanti Application Control Engine and Ivanti Avalanche. The advisories cover multiple vulnerabilities patched in these products. 16 vulnerabilities were patched in Ivanti EPM, 1 vulnerability in Ivanti Application Control Engine and 3 vulnerabilities in Ivanti Avalanche.

The most severe vulnerabilities addressed include four absolute path traversal flaws in Ivanti EPM, which could enable remote, unauthenticated attackers to expose sensitive information.

Beschrijving

CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159 – Ivanti EPM
 
CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159 are Path Traversal vulnerabilities identified in Ivanti Avalanche. These vulnerabilities allow an unauthenticated remote attacker to leak sensitive information. These vulnerabilities have been assigned a severity score of 9.8.
 
2025-03-12 UPDATE: A proof of concept has been publicly released for CVE-2024-13159. CISA added CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159 to their Known Exploited Vulnerabilities Catalog, which indicates that these 3 vulnerabilities are now being actively exploited by threat actors.
 
CVE-2024-13158 – Ivanti EPM
 
CVE-2024-13158 is an unbounded resource search path vulnerability in Ivanti EPM This vulnerability allows a remote authenticated attacker with admin privileges to execute remote code. This vulnerability has been assigned a severity score of 7.2.
 
CVE-2024-13172 – Ivanti EPM
 
CVE-2024-13172 is an improper signature verification vulnerability in Ivanti EPM that allows a remote, unauthenticated attacker to execute remote code. Local user interaction is necessary to exploit this issue. This vulnerability has been assigned a severity score of 7.8.
 
CVE-2024-10630 – Ivanti Application Control Engine
 
CVE-2024-10630 is a race condition in Ivanti Application Control Engine that allows a local authenticated attacker to bypass the application blocking functionality. This vulnerability has been assigned a severity score of 7.8.
 
CVE-2024-13180 – Ivanti Avalanche
 
CVE-2024-13180 is a Path Traversal in Ivanti Avalanche that allows remote, unauthenticated attackers to expose sensitive information. This CVE addresses incomplete fixes from CVE-2024-47011. The vulnerability has been assigned a severity score of 7.5.
 
Other vulnerabilities
 
While these are the most noteworthy vulnerabilities patched by Ivanti, there are also other critical vulnerabilities addressed in these advisories. If you use Ivanti EPM, Ivanti Application Control Engine, or Ivanti Avalanche devices, please review the Ivanti advisory and update your products.

Aanbevolen acties

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Update: 2025-02-21

Ivanti published a V2 of the patch for the abovementioned vulnerabilities. Applying the original patch (EPM_2024_Flat_Jan_2025_Patch.zip and EPM_2022_SU6_Jan_2025_Patch.zip) caused a known issue with Windows Action in Software Distribution. More specifically, the "Actions" tab was not visible, thus preventing users from creating new Windows Action packages or editing existing ones. Please note that existing packages continue to function as expected.

Ivanti updated this patch to a V2 version that restores the "Actions" tab. If the original version was installed, V2 needs to be installed as well to restore the "Actions" tab.

Due to the changes made in the V2 patch, there are some needed changes in order for Windows Action packages to be fully functional again. Please see Change to Windows Action Packages in January 2025 Hot Patch for more information.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

Referenties