Ivanti Fortifies Endpoint Manager Against Critical Flaws: Cybersecurity Upgrade Thwarts Remote Code Execution Threats

Ivanti’s latest patch party plugs ten perilous potholes, with six SQL injection soirees and four authenticated attacker jamborees. Patch your endpoints, or it’s code execution calamity! 🛠️💻🚨 #CriticalSecurityFlaws

Hot Take:

When it comes to cybersecurity, it seems like the only thing multiplying faster than Gremlins in a swimming pool are those pesky vulnerabilities. Ivanti’s latest patch party is like a black-tie gala for bugs, with SQL injections and remote code execution flaws dressing to impress. And just for kicks, we have a cameo from Netflix’s Big Data butler, Genie, who’s apparently granting wishes to attackers with a taste for path traversal. Remember folks, in the digital world, it’s BYOP—Bring Your Own Patches!

Key Points:

  • Ivanti fixes a grand total of 10 vulnerabilities in Endpoint Manager, with six unauthenticated SQL injection flaws scoring a haughty 9.6 on the CVSS scale.
  • The remaining four bugs require an attacker to be authenticated first, because even hackers need to provide ID sometimes.
  • The company also tidied up a high-severity flaw in Avalanche and five more in other products, because why stop at 10 when you can make it 15?
  • Meanwhile, Netflix’s Genie is granting the wrong kind of wishes with a critical path traversal flaw that affects all software versions before 4.3.18.
  • The U.S. government waves the “secure by design” flag, urging developers to build software like they’re crafting a fortress, not a lemonade stand.
Cve id: CVE-2023-5389
Cve state: PUBLISHED
Cve assigner short name: Honeywell
Cve date updated: 01/31/2024
Cve description: An attacker could potentially exploit this vulnerability, leading to the ability to modify files on Honeywell Experion ControlEdge VirtualUOC and ControlEdge UOC . This exploit could be used to write a file that may result in unexpected behavior based on configuration changes or updating of files that could result in subsequent execution of a malicious application if triggered. Honeywell recommends updating to the most recent version of the product. See Honeywell Security Notification for recommendations on upgrading and versioning. 

Cve id: CVE-2024-29827
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 05/31/2024
Cve description: An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

Cve id: CVE-2023-38042
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 05/31/2024
Cve description: A local privilege escalation vulnerability in Ivanti Secure Access Client for Windows allows a low privileged user to execute code as SYSTEM.

Cve id: CVE-2024-29828
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 05/31/2024
Cve description: An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code.

Cve id: CVE-2024-22059
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 05/31/2024
Cve description: A SQL injection vulnerability in web component of Ivanti Neurons for ITSM allows a remote authenticated user to read/modify/delete information in the underlying database. This may also lead to DoS.

Cve id: CVE-2023-5390
Cve state: PUBLISHED
Cve assigner short name: Honeywell
Cve date updated: 01/31/2024
Cve description: An attacker could potentially exploit this vulnerability, leading to files being read from the Honeywell Experion ControlEdge VirtualUOC and ControlEdge UOC. This exploit could be used to read files from the controller that may expose limited information from the device. Honeywell recommends updating to the most recent version of the product. See Honeywell Security Notification for recommendations on upgrading and versioning.

Cve id: CVE-2024-29846
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 05/31/2024
Cve description: An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code.

Cve id: CVE-2024-29822
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 05/31/2024
Cve description: An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

Cve id: CVE-2023-38551
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 05/31/2024
Cve description: A CRLF Injection vulnerability in Ivanti Connect Secure (9.x, 22.x) allows an authenticated high-privileged user to inject malicious code on a victim’s browser, thereby leading to cross-site scripting attack.

Cve id: CVE-2024-29829
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 05/31/2024
Cve description: An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code.

Cve id: CVE-2024-29830
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 05/31/2024
Cve description: An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code.

Cve id: CVE-2023-46810
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 05/31/2024
Cve description: A local privilege escalation vulnerability in Ivanti Secure Access Client for Linux before 22.7R1, allows a low privileged user to execute code as root.

Cve id: CVE-2024-29848
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 05/31/2024
Cve description: An unrestricted file upload vulnerability in web component of Ivanti Avalanche before 6.4.x allows an authenticated, privileged user to execute arbitrary commands as SYSTEM.

Cve id: CVE-2024-22060
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 05/31/2024
Cve description: An unrestricted file upload vulnerability in web component of Ivanti Neurons for ITSM allows a remote, authenticated, high privileged user to write arbitrary files into sensitive directories of ITSM server.

Title: Path Traversal vulnerability via File Uploads in Genie
Cve id: CVE-2024-4701
Cve state: PUBLISHED
Cve assigner short name: netflix
Cve date updated: 05/10/2024
Cve description: A path traversal issue potentially leading to remote code execution in Genie for all versions prior to 4.3.18

Need to know more?

Patching Up the Patchwork

Ivanti must be feeling like the digital janitor these days, sweeping up all the bug debris cluttering its software corridors. With 10 vulnerabilities in Endpoint Manager alone, Ivanti's release notes must read like an action-packed thriller, minus the car chases and with more SQL injections. It's like they've got a "Buy 9, Get 1 Free" deal going on with exploits. If only they came with loyalty points.

Critical Flaws are So In This Season

The critical vulnerabilities range from the kind that require a digital handshake (authenticated) to the sneaky kind that crash your network party without an invite (unauthenticated). Either way, it's like leaving your digital front door open with a sign that says "Burglars welcome!" But fear not, Ivanti's rolled out the red carpet for patches so we can all sleep a little less paranoid at night.

Netflix and Spill

Genie, the open-source Big Data orchestration engine by Netflix, is usually great at catering to your data whims, but it seems to have a dark side. This Genie has granted attackers the ability to write whatever they want, wherever they want on the file system, as if they're authors with no editorial oversight. Time to update to version 4.3.18 before your data starts spilling more secrets than a reality TV show contestant.

Uncle Sam Wants YOU... to Code Securely

The U.S. government is waving the cybersecurity flag, reminding developers to armor up their code in the digital crusade against vulnerabilities. They're advocating a "secure by design" approach, which is like asking architects to plan for Godzilla attacks during the blueprint phase. It's all about building those metaphorical moats and drawbridges to keep the cyber-trolls at bay.

More Bugs Than a B-Movie

And just when you thought you'd had enough of the bug bonanza, Honeywell's Control Edge Unit Operations Controller pops in with vulnerabilities that could lead to unauthenticated remote code execution. It's like the creepy crawlers decided to throw their own shindig in the operational technology (OT) network. The party favor? Full control of the controller and the chance to run malicious code. RSVP 'no' to that one, folks.

After all this, if you're not already updating your software or considering a career as a hermit, well, you're braver than most. In the meantime, let's pour one out for the IT teams dealing with this hot mess express. Cheers to the patchers!

Tags: Genie OSS vulnerability, Ivanti Security Updates, Path Traversal, Remote Code Execution, secure-by-design, SQL Injection, vulnerability patches