Ivanti on Tuesday rolled out fixes to address multiple critical security flaws in Endpoint Manager (EPM) that could be exploited to achieve remote code execution under certain circumstances.
Six of the 10 vulnerabilities – from CVE-2024-29822 through CVE-2024-29827 (CVSS scores: 9.6) – relate to SQL injection flaws that allow an unauthenticated attacker within the same network to execute arbitrary code.
The remaining four bugs — CVE-2024-29828, CVE-2024-29829, CVE-2024-29830, and CVE-2024-29846 (CVSS scores: 8.4) — also fall under the same category with the only change being that they require the attacker to be authenticated.
The shortcomings impact the Core server of Ivanti EPM versions 2022 SU5 and prior.
The company has also addressed a high-severity security flaw in Avalanche version 6.4.3.602 (CVE-2024-29848, CVSS score: 7.2) that could permit an attacker to achieve remote code execution by uploading a specially crafted file.
In addition, patches have been shipped for five other high-severity vulnerabilities: an SQL injection (CVE-2024-22059) and an unrestricted file upload bug (CVE-2024-22060) in Neurons for ITSM, a CRLF injection flaw in Connect Secure (CVE-2023-38551), and two local privilege escalation issues in the Secure Access client for Windows (CVE-2023-38042) and Linux (CVE-2023-46810).
Ivanti stressed that there is no evidence of the flaws being exploited in the wild or that they were “introduced into our code development process maliciously” via a supply chain attack.
The development comes as details emerged about a critical flaw in the open-source version of the Genie federated Big Data orchestration and execution engine developed by Netflix (CVE-2024-4701, CVSS score: 9.9) that could lead to remote code execution.
Described as a path traversal vulnerability, the shortcoming could be exploited to write an arbitrary file on the file system and execute arbitrary code. It impacts all versions of the software prior to 4.3.18.
The issue stems from the fact that Genie’s REST API is designed to accept a user-supplied filename as part of the request, thus allowing a malicious actor to craft a filename such that it can break out of the default attachment storage path and write a file with any user-specified name to a path specified by the actor.
“Any Genie OSS users running their own instance and relying on the filesystem to store file attachments submitted to the Genie application may be impacted,” the maintainers said in an advisory.
“Using this technique, it is possible to write a file with any user-specified filename and file contents to any location on the file system that the Java process has write access to – potentially leading to remote code execution (RCE).”
That said, users who do not store the attachments locally on the underlying file system are not susceptible to this issue.
“If successful, such an attack could fool a web application into reading and consequently exposing the contents of files outside of the document root directory of the application or the web server, including credentials for back-end systems, application code and data, and sensitive operating system files,” Contrast Security researcher Joseph Beeton said.
Earlier this month, the U.S. government warned of continued attempts by threat actors to exploit directory traversal defects in software to breach targets, calling on developers to adopt a secure by design approach for eliminating such security holes.
“Incorporating this risk mitigation at the outset – beginning in the design phase and continuing through product release and updates – reduces both the burden of cybersecurity on customers and risk to the public,” the government said.
The disclosure also comes in the wake of various vulnerabilities (CVE-2023-5389 and CVE-2023-5390) in Honeywell’s Control Edge Unit Operations Controller (UOC) that can result in unauthenticated remote code execution.
“An attacker already on an OT network would use a malicious network packet to exploit this vulnerability and compromise the virtual controller,” Claroty said. “This attack could be carried out remotely in order to modify files, resulting in full control of the controller and the execution of malicious code.”
https://thehackernews.com/2024/05/ivanti-patches-critical-remote-code.html