Update: 2024-09-16

We initially wrote this post in reference to CVE-2024-29847, however this post actually describes CVE-2023-28324. We had incorrectly assumed that the SU5 update was comprehensive which resulted in us mistaking CVE-2023-28324 for CVE-2024-29847. The content of this blog has been updated accordingly.

Introduction

Ivanti Endpoint Manager (EPM) is an enterprise endpoint management solution that allows for centralized management of devices within an organization. On June 7th, 2023, Ivanti released an advisory describing a improper input vulnerability resulting in remote code execution with a CVSS score of 9.8. In this post we detail the internal workings of this vulnerability. Our POC can be found here.

AgentPortal

The vulnerability exists in a service named AgentPortal. A quick search shows us that we can find the file at C:\Program Files\LanDesk\ManagementSuite\AgentPortal.exe. Upon further investigation, we find that it is a .NET binary.

After loading AgentPortal.exe into JetBrains dotPeek for decompilation, we find that its not a very complicated program. It’s main responsibility is creating a .NET Remoting service for the IAgentPortal interface.

IAgentPortal Interface

The IAgentPortal interface is pretty simple, it consists of functions to create Requests and other functions to get the results and check the status of those requests. Digging into what kind of requests we can make, we find the ActionEnum enum.

We are immediately drawn to the RunProgram option. The handler for that option shows a very easy way for an attacker to run an arbitrary program.

The Fix

The fix for this vulnerability restricts what kind of programs can be ran by ProcessRunProgramAction to ping.exe and tracert.exe.

Indicators of Compromise

The port used by the AgentPortal service can be found in the registry at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\SharedComponents\LANDeskAgentPortal.

Any unexpected connections to the AgentPortal address in your environment should be investigated for malicious activity.