Ivanti Endpoint Manager Absolute Path Traversal Vulnerability Allowing Information Disclosure

A path traversal vulnerability has been identified in Ivanti Endpoint Manager (EPM) versions 2024 November security update and prior, as well as 2022 SU6 November security update and prior. This vulnerability allows remote, unauthenticated attackers to exploit absolute path traversal, leading to the leakage of sensitive information. The issue arises because the affected application does not properly validate user input in certain API endpoints, allowing attackers to manipulate file paths and access restricted data.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information, potentially including machine account credentials that could be used in relay attacks to compromise the EPM server or its clients.

Reproduction

The vulnerability can be reproduced by sending a request to the 'GetHashForWildcardRecursive' API endpoint with a crafted 'wildcard' parameter that includes a remote UNC path. This will cause the EPM server to read files from the specified location and calculate their hashes, effectively leaking information from the server.

Remediation

Users should apply the January 2025 security update for Ivanti Endpoint Manager. This update is available through the Ivanti License System (ILS). After applying the patch, it is recommended to run 'AgentEngineHashUpdate.exe' to refresh the hash values in the database.