Ivanti warns of critical vulnerability in its popular line of endpoint protection software

0
138

[ad_1]

Software program maker Ivanti is urging customers of its end-point safety product to patch a crucial vulnerability that makes it potential for unauthenticated attackers to execute malicious code inside affected networks.

The vulnerability, in a category generally known as a SQL injection, resides in all supported variations of the Ivanti Endpoint Manager. Also referred to as the Ivanti EPM, the software program runs on quite a lot of platforms, together with Home windows, macOS, Linux, Chrome OS, and Web of Issues units comparable to routers. SQL injection vulnerabilities stem from defective code that interprets person enter as database instructions or, in additional technical phrases, from concatenating information with SQL code with out quoting the information in accordance with the SQL syntax. CVE-2023-39336, because the Ivanti vulnerability is tracked, carries a severity score of 9.6 out of a potential 10.

“If exploited, an attacker with entry to the inner community can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output with out the necessity for authentication,” Ivanti officers wrote Friday in a post saying the patch availability. “This may then enable the attacker management over machines operating the EPM agent. When the core server is configured to make use of SQL categorical, this may result in RCE on the core server.”

RCE is brief for distant code execution, or the flexibility for off-premises attackers to run code of their selection. At present, there’s no recognized proof the vulnerability is beneath energetic exploitation.

Ivanti has additionally printed a disclosure that’s restricted solely to registered customers. A replica obtained by Ars stated Ivanti discovered of the vulnerability in October. The personal disclosure in full is:

It’s unclear what “attacker with entry to the inner community” means. Beneath the official rationalization of the Common Vulnerability Scoring System, the code Ivanti used within the disclosure, AV:A, is brief for “Assault Vector: Adjoining.” The scoring system outlined it as:

The susceptible part is certain to the community stack, however the assault is proscribed on the protocol stage to a logically adjoining topology. This may imply an assault should be launched from the identical shared bodily or logical (e.g. native IP subnet) community…

In a thread on Mastodon, a number of safety specialists provided interpretations. One one that requested to not be recognized by title, wrote:

All the things else concerning the vulnerability [besides the requirement of access to the network] is extreme:

  • Assault complexity is low
  • Privileges not required
  • No person interplay essential
  • Scope of the following affect to different techniques is modified
  • Impression to Confidentiality, Integrity and Availability is Excessive

Reid Wightman, a researcher specializing within the safety of commercial management techniques at Dragos, supplied this evaluation:

Hypothesis however it seems that Ivanti is mis-applying CVSS and the rating ought to probably be 10.0.

They are saying AV:A (that means, “adjoining community entry required”). Often which means that one of many following is true: 1) the susceptible community protocol will not be routable (this often means it’s not an IP-based protocol that’s susceptible), or 2) the vulnerability is mostly a person-in-the-middle assault (though this often additionally has AC:H, since a person-in-the-middle requires some current entry to the community with a view to really launch the assault) or 3) (what I believe), the seller is mis-applying CVSS as a result of they suppose their susceptible service shouldn’t be uncovered aka “finish customers ought to have a firewall in place”.

The idea that the attacker should be an insider would have a CVSS modifier of PR:L or PR:H (privileges required on the system), or UI:R (tricking a reliable person into doing one thing that they should not). The idea that the attacker has another current entry to the community ought to add AC:H (assault complexity excessive) to the rating. Each would cut back the numeric rating.

I’ve had many an argument with distributors who argue (3), particularly, “no one ought to have the service uncovered so it is not likely AV:N”. However CVSS doesn’t account for “good community structure”. It solely cares about default configuration, and whether or not the assault will be launched from a distant community…it doesn’t contemplate firewall guidelines that the majority organizations ought to have in place, partially since you at all times discover counterexamples the place the service is uncovered to the Web. You’ll be able to virtually at all times discover counterexamples on Shodan and comparable. Loads of “Ivanti Service Managers” uncovered on Shodan for instance, although, I am unsure if that is the precise susceptible service.

A 3rd participant, Ron Bowes of Skull Security, wrote: “Distributors—particularly Ivanti—have a behavior of underplaying safety points. They suppose that making it sound just like the vuln is much less dangerous makes them look higher, when in actuality it simply makes their prospects much less protected. That is an enormous pet peeve. I am not gonna decide distributors for having a vuln, however I’m going to evaluate them for dealing with it badly.”

Ivanti representatives didn’t reply to emailed questions.

Placing units operating Ivanti EDM behind a firewall is a finest observe and can go an extended option to mitigating the severity of CVE-2023-39336, however it might possible do nothing to stop an attacker who has gained restricted entry to an worker workstation from exploiting the crucial vulnerability. It’s unclear if the vulnerability will come beneath energetic exploitation, however the very best plan of action is for all Ivanti EDM customers to put in the patch as quickly as potential.

[ad_2]

Source link