Ivanti warns critical EPM bug lets hackers hijack enrolled devices


Ivanti fixed a critical remote code execution (RCE) vulnerability in its Endpoint Management software (EPM) that can let unauthenticated attackers hijack enrolled devices or the core server.

Ivanti EPM helps manage client devices running a wide range of platforms, from Windows and macOS to Chrome OS and IoT operating systems.

The security flaw (tracked as CVE-2023-39366) impacts all supported Ivanti EPM versions, and it has been resolved in version 2022 Service Update 5.

Attackers with access to a target’s internal network can exploit the vulnerability in low-complexity attacks that don’t require privileges or user interaction.

“If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication,” Ivanti says.

“This can then allow the attacker control over machines running the EPM agent. When the core server is configured to use SQL express, this might lead to RCE on the core server.”

The company says it has no evidence that its customers have been affected by attackers exploiting this vulnerability.

Currently, Ivanti blocks public access to an advisory containing full CVE-2023-39366 details, likely to provide customers with more time to secure their devices before threat actors can create exploits using the additional information.

Zero-days exploited in the wild

In July, state-affiliated hackers used two zero-day flaws (CVE-2023-35078 and CVE-2023-35081) in Ivanti’s Endpoint Manager Mobile (EPMM), formerly MobileIron Core, to infiltrate the networks of multiple Norwegian government organizations.

“Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability,” CISA cautioned.

“Consequently, CISA and NCSC-NO are concerned about the potential for widespread exploitation in government and private sector networks.”

A third zero-day (CVE-2023-38035) in Ivanti’s Sentry software (formerly MobileIron Sentry) was exploited in attacks one month later.

The company also patched over a dozen critical security vulnerabilities in its Avalanche enterprise mobile device management (MDM) solution in December and August.

Ivanti’s products are used by more than 40,000 companies globally to manage their IT assets and systems.



Source link