skip to content
Decrypt LOL

Get Cyber-Smart in Just 5 Minutes a Week

Decrypt delivers quick and insightful updates on cybersecurity. No spam, no data sharing—just the info you need to stay secure.

Read the latest edition
Security Evaluation Reveals Vulnerabilities in Ivanti Endpoint Manager

Security Evaluation Reveals Vulnerabilities in Ivanti Endpoint Manager

/ 4 min read

stories , cybersecurity , vulnerability assessment , ivanti , legacy software , exploit research

Quick take - A recent security evaluation revealed significant vulnerabilities in a public-facing kiosk system using an outdated version of Ivanti Endpoint Manager, including exploitable known CVEs and a newly discovered code injection vulnerability, highlighting the importance of regular patching and testing of legacy systems.

Fast Facts

  • A security evaluation revealed significant vulnerabilities in a public-facing kiosk system using Ivanti Endpoint Manager (EPM) version 2020.1, which is now end-of-life.
  • Known Common Vulnerabilities and Exposures (CVEs) were found to be exploitable, along with a new vulnerability in the EPM agent that operates with Local System privileges.
  • The evaluation demonstrated a successful code injection exploit, allowing the creation of a file indicating commands executed with administrative privileges.
  • The exploitation process involved manipulating a PAC script, highlighting the ease of exploiting certain vulnerabilities with knowledge of software input processing.
  • Ivanti confirmed the vulnerability but did not issue a CVE due to the software’s end-of-life status, raising concerns about security risks in outdated commercial software.

Security Evaluation Uncovers Vulnerabilities in Ivanti Endpoint Manager

Overview of Vulnerabilities

A recent security evaluation has uncovered significant vulnerabilities in a public-facing kiosk system’s implementation of Ivanti Endpoint Manager (EPM). The evaluation was prompted by multiple Common Vulnerabilities and Exposures (CVEs) affecting Ivanti products since May 2024. The client was using EPM version 2020.1, which is now considered end-of-life.

During the assessment, it was confirmed that known CVEs were exploitable within the client’s deployment of Endpoint Manager. A new vulnerability was discovered in the EPM agent running on the kiosk, which operates within the Local System (Administrator) context, exposing several network ports. It communicates with the Endpoint Management Core server on the internal client network and uses a private key stored on the device for certificate-authenticated requests to the Ivanti Cloud Services Appliance (CSA).

Key Findings

A crucial finding was the identification of a log file recording requests sent to port 9592, generated by a program invoked by the EPM agent. The program’s logic relied on the Host header to route requests. An attempt to exploit the system by inserting a double quote in the Host header resulted in an error log indicating an unterminated string. This exploitation was facilitated by the program’s use of the Microsoft JScript scripting engine, an older JavaScript engine.

A successful code injection was demonstrated during the evaluation, allowing the creation of a proof.txt file in the Local System home directory. The file indicated that commands were executed with Administrative privileges. The vulnerability stemmed from a function in the decompiled code that directly inserted parameters into function calls, leading to the code injection issue. Notably, this function name appeared in Proxy Auto-Configuration (PAC) scripts, which are commonly used to customize proxy server settings on a per-request basis.

Implications and Recommendations

The exploitation process involved enabling a PAC script that restricted browser traffic. When disabled, the PAC script blocked the exploit, but re-enabling it allowed the exploit to be executed again. Changing the PAC script address to a custom one further facilitated testing. The vulnerability was characterized as relatively trivial to exploit, highlighting the ease of enumerating and exploiting certain bugs with a comprehensive understanding of software input processing.

The existence of commercial off-the-shelf (COTS) software like Ivanti Endpoint Manager requires valid subscriptions, limiting broader security research. Ivanti has implemented a Vulnerability Disclosure Program that offers legal protection for researchers reporting security flaws, along with a private bug bounty program to aid in the discovery and rectification of security issues. After the vulnerability was reported, Ivanti confirmed its validity but refrained from awarding a CVE due to the software’s end-of-life status. This situation raises concerns regarding unknown vulnerabilities in outdated COTS software, which often lacks regular security testing.

The evaluation emphasizes the critical need for consistent patching and testing of legacy systems to mitigate potential security risks.

Original Source: Read the Full Article Here

Check out what's latest

New File Transfer Protocol Developed for Enhanced Security and Performance
New File Transfer Protocol Developed for Enhanced Security and Performance
Study Introduces Benchmark for Evaluating Cryptographic Protocols
Study Introduces Benchmark for Evaluating Cryptographic Protocols
Study Reveals Vulnerabilities of LLMs to Bit-Flip Attacks
Study Reveals Vulnerabilities of LLMs to Bit-Flip Attacks