July 18, 2024 at 07:45AM
Ivanti released patches for high-severity vulnerabilities in Endpoint Manager and Endpoint Manager for Mobile, including hotfix for an SQL injection flaw. Also, patches for four vulnerabilities impacting all versions of Endpoint Manager for Mobile were released. Additionally, patches for a medium-severity path traversal-affiliated vulnerability in Ivanti Docs@Work for Android were announced.
Based on the meeting notes, here are the key takeaways:
1. Ivanti has announced patches for multiple high-severity vulnerabilities in Endpoint Manager and Endpoint Manager for Mobile. This includes a hotfix for an SQL injection flaw with a CVE identifier of 2024-37381 and a CVSS score of 8.4, impacting the Core server of Endpoint Manager (EPM) 2024 flat. The SQL injection could be exploited by authenticated attackers with network access to execute arbitrary code. The hot patch is currently supported for EPM 2024 flat only, with Ivanti intending to release security updates that fully address the vulnerability.
2. Ivanti has released patches for four vulnerabilities impacting all versions of its Endpoint Manager for Mobile (EPMM) product. Three of the flaws, tracked as CVE-2024-36130, CVE-2024-36131, and CVE-2024-36132, are high-severity bugs. The first two allow attackers within the network to execute arbitrary commands on the underlying operating system of the appliance, while the third leads to authentication bypass and sensitive information disclosure. EPMM (Core) versions 11.12.0.3, 12.0.0.3, and 12.1.0.1 address these security defects along with a medium-severity improper authentication issue.
3. Ivanti has also announced patches for CVE-2024-37403, a medium-severity path traversal-affiliated vulnerability in Ivanti Docs@Work for Android. The security defect, referred to as Dirty Stream and disclosed by Microsoft earlier this year, could allow malicious applications to overwrite files in other applications’ home directory, potentially leading to code execution. Docs@Work for Android version 2.26.1 addresses the bug and is available for all Ivanti customers.
4. Ivanti has stated that it is not aware of any public exploitation of the disclosed vulnerabilities.
5. The company has clarified that these vulnerabilities do not impact any other Ivanti products or solutions.
Please let me know if you need any further information or if there are additional points you would like to highlight.