Ivanti Endpoint Manager Absolute Path Traversal Vulnerability Allowing Information Disclosure

A path traversal vulnerability has been identified in Ivanti Endpoint Manager (EPM) versions prior to the January 2025 Security Update for both the 2024 and 2022 SU6 releases. This vulnerability allows remote, unauthenticated attackers to exploit absolute path traversal, leading to the unauthorized disclosure of sensitive information. The issue arises from the application's failure to properly validate user input, enabling attackers to manipulate file paths and access restricted data.

Impact

Exploitation of this vulnerability could result in the unauthorized leakage of sensitive information from the affected Ivanti EPM server.

Reproduction

The vulnerability can be reproduced by sending a request to the 'GetHashForWildcardRecursive' endpoint of the 'VulCore' class in the 'WSVulnerabilityCore.dll' component. The 'wildcard' parameter can be crafted to include a remote UNC path, which the server will then access, allowing for information leakage. This exploitation can be automated with a proof-of-concept available on GitHub.

Remediation

Users should apply the January 2025 Security Update Hot Patch for their respective EPM version. This patch is available through the Ivanti License System (ILS). After applying the patch, it's recommended to run 'AgentEngineHashUpdate.exe' to refresh the agent hash values in the database.