Ivanti closes gaps in Application Control Engine, Avalanche and EPM
Ivanti has released security updates for Application Control Engine, Avalanche and EPM. Some of them fix critical leaks.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Ivanti has released security updates for several products, some of which fix critical vulnerabilities. Updates are available for Ivanti's software management software Application Control Engine, Avalanche, and Endpoint Manager (EPM).
There are 16 vulnerabilities in Ivanti's Endpoint Manager alone, four of which are classified as critical risks. According to Ivanti's security release, the critical vulnerabilities (CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, CVE-2024-13159; CVSS 9.8) are all the path traversal type and allow unauthenticated attackers to leak sensitive information without authorization. Ivanti's developers classify the twelve other vulnerabilities as high risk. The Ivanti EPM 2024 January-2025 Security Update and EPM 2022 SU6 January-2025 Security Update versions close the security leaks. Apparently, however, there are problems with “Windows Action” in the software distribution after applying the updates, which means that the actions are not visible, and therefore no new ones can be created or existing ones modified. However, existing packages continue to work.
Further updates for Ivanti software
According to the security warning, the company is patching three high-risk vulnerabilities in Ivanti Avalanche. These are also of the path traversal type. Two allow malicious actors to bypass authentication (CVE-2024-13181, CVE-2024-13179, both CVSS 7.3, high). Another one allows unauthenticated attackers from the network to access sensitive information (CVE-2024-13180, CVSS 7.5, high). Ivanti Avalanche version 6.4.7 or newer closes the gaps. The updated software is available from the Ivanti download portal.
Videos by heise
Finally, Ivanti warns of a security leak in the Application Control Engine. Registered attackers can abuse a race condition to bypass the app blocking function (CVE-2024-10630, CVSS 7.8, high). Ivanti Application Control 2024.3 HF1, 2024.1 HF2 and 2023.3 HF3 correct the error. Ivanti Security Controls will still be supported until December 31, 2025, but will no longer receive an update, as a release without a significant impact on performance is not possible. Ivanti mentions manual countermeasures in the warning, but recommends switching to Ivanti Application Control (UWM AC) or Ivanti Neurons for App Control. The latter is a cloud software that Ivanti already patched on December 12. Anyone who has installed Ivanti Application Control in EPM should obtain the latest version 10.14.4.0 and import it with the Privilege Management plug-in.
With regard to all the security vulnerabilities addressed by the updates, Ivanti states that it is not aware of any attacks in the wild to date.
Ivanti products are part of the standard repertoire of systems attacked by cyber criminals. Last week, the manufacturer warned of active attacks on Ivanti Secure Connect systems. Malicious actors can infiltrate malicious code and compromise networks. IT managers should therefore download and install the updates quickly to secure their networks.
(dmk)
