CVE-2024-29847 Overview
CVE-2024-29847 is a critical insecure deserialization vulnerability affecting the agent portal component of Ivanti Endpoint Manager (EPM). This vulnerability allows a remote unauthenticated attacker to achieve remote code execution (RCE) by exploiting improper handling of untrusted data during deserialization processes. Organizations using affected versions of Ivanti EPM are at significant risk of complete system compromise.
Critical Impact
Remote unauthenticated attackers can execute arbitrary code on affected Ivanti EPM servers, potentially leading to complete infrastructure compromise, data theft, and lateral movement within enterprise networks.
Affected Products
- Ivanti Endpoint Manager 2022 (all versions before SU6)
- Ivanti Endpoint Manager 2022 SU1 through SU5
- Ivanti Endpoint Manager 2024 (versions before September 2024 update)
Discovery Timeline
- 2024-09-12 - CVE-2024-29847 published to NVD
- 2024-09-12 - Last updated in NVD database
Technical Details for CVE-2024-29847
Vulnerability Analysis
This vulnerability is classified as CWE-502: Deserialization of Untrusted Data. The agent portal component of Ivanti EPM fails to properly validate and sanitize data before deserializing it, creating a pathway for attackers to inject malicious serialized objects. When these objects are processed by the application, they can execute arbitrary code with the privileges of the EPM service.
The attack is particularly dangerous because it requires no authentication, meaning any attacker with network access to the agent portal can exploit this vulnerability. The exploitation can lead to complete server compromise, including the ability to install malware, exfiltrate sensitive endpoint management data, and pivot to managed endpoints across the enterprise.
Root Cause
The root cause of CVE-2024-29847 lies in the agent portal's handling of serialized data without adequate validation. The deserialization routine accepts and processes untrusted input from remote sources, allowing attackers to craft malicious serialized payloads. When the application deserializes these payloads, it instantiates attacker-controlled objects that can execute arbitrary code during the deserialization process or through subsequent method invocations.
Attack Vector
The attack is conducted over the network against the Ivanti EPM agent portal. An attacker crafts a malicious serialized object containing code execution primitives and sends it to the vulnerable endpoint. The server deserializes the payload without proper validation, triggering the execution of the embedded malicious code.
The attacker does not require any form of authentication, user interaction, or special privileges to exploit this vulnerability. This makes it an ideal target for opportunistic attacks and automated exploitation campaigns targeting internet-exposed Ivanti EPM installations.
The vulnerability manifests in the agent portal's deserialization handling. For technical details and specific exploitation vectors, refer to the Ivanti Security Advisory.
Detection Methods for CVE-2024-29847
Indicators of Compromise
- Unusual process spawning from Ivanti EPM service processes
- Unexpected network connections originating from EPM server components
- Suspicious serialized object patterns in agent portal traffic logs
- Creation of unauthorized files or scheduled tasks on the EPM server
- Anomalous authentication attempts or privilege escalation events following agent portal access
Detection Strategies
- Monitor agent portal HTTP traffic for malformed or suspicious serialized data payloads
- Implement network intrusion detection rules targeting known deserialization attack patterns
- Deploy endpoint detection and response (EDR) solutions to identify post-exploitation behavior
- Review application logs for deserialization errors or exceptions that may indicate exploitation attempts
Monitoring Recommendations
- Enable verbose logging on Ivanti EPM agent portal components
- Configure SIEM alerts for unusual process chains originating from EPM services
- Monitor for outbound connections from the EPM server to unknown or suspicious destinations
- Track file system changes in EPM installation directories
How to Mitigate CVE-2024-29847
Immediate Actions Required
- Apply the Ivanti EPM 2022 SU6 update or the September 2024 update for EPM 2024 immediately
- Restrict network access to the agent portal to trusted IP ranges only
- Implement web application firewall (WAF) rules to filter potentially malicious serialized payloads
- Monitor EPM servers for signs of compromise while awaiting patch deployment
Patch Information
Ivanti has released security patches addressing this vulnerability. Organizations running Ivanti EPM 2022 should upgrade to Service Update 6 (SU6) or later. Organizations running Ivanti EPM 2024 should apply the September 2024 security update. Detailed patching instructions and download links are available in the Ivanti Security Advisory.
Workarounds
- Implement network segmentation to isolate EPM servers from untrusted networks
- Deploy a reverse proxy with strict input validation in front of the agent portal
- Consider temporarily disabling the agent portal if it is not essential for operations
- Enable strict firewall rules limiting access to the agent portal to known, trusted endpoints only
# Example firewall rule to restrict agent portal access (Windows Firewall)
netsh advfirewall firewall add rule name="Restrict EPM Agent Portal" dir=in action=block protocol=tcp localport=443 remoteip=any
netsh advfirewall firewall add rule name="Allow EPM Agent Portal Trusted" dir=in action=allow protocol=tcp localport=443 remoteip=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
