Dive Brief:
-
Horizon3.ai researchers on Wednesday released technical details and a proof-of-concept (PoC) exploit for four critical Ivanti vulnerabilities that were first disclosed and patched last month.
-
The absolute patch-traversal flaws impact Ivanti Endpoint Manager and, according to Horizon3.ai, could allow unauthenticated attackers to manipulate the Ivanti EPM machine account credential into being deployed in relay attacks, potentially leading to server compromise.
-
Ivanti products have become popular targets for attackers in recent years, as a wide range of cyber threat actors have exploited both zero-day and known vulnerabilities to compromise devices at the network edge and gain access to victim organizations.
Dive Insight:
While the four Ivanti vulnerabilities have not yet been exploited in the wild, the release of the PoC and technical details heightens the risk of cyberattacks. Threat actors routinely use PoCs published by cybersecurity vendors and independent researchers: For example, a critical SonicWall vulnerability recently came under exploitation following publication of a PoC by researchers at Bishop Fox.
In a blog post published Wednesday, Zach Hanley, chief attack engineer at Horizon3.ai, said attackers could exploit the flaws to add a machine account or to relay delegated administrator-account access. That then could allow an attacker to compromise all EPM clients in an organization, he wrote.
“While none of the below relay techniques are new or novel, demonstrating the impact of this set of vulnerabilities is valuable to convey the severity of them — again impact will be environmentally dependent,” Hanley wrote.
The Ivanti EPM vulnerabilities include a credential coercion flaw in GetHashForFile for EPM (CVE-2024-10811); a credential coercion vulnerability in GetHashForWildcardRecursive (CVE-2024-13159); a credential coercion flaw in GetHashForWildcard (CVE-2024-13160); and a credential coercion vulnerability in GetHashForSingleFile (CVE-2024-13161). Ivanti assigned a CVSS score of 9.8 for all four flaws.
“The vulnerabilities, while simple to exploit, are not necessarily easy to find,” Hanley told Cybersecurity Dive via email. “The code base is very large, and understanding and mapping the unauthenticated attack surface of the application to the backend code took the majority of the time.”
According to the blog post, Horizon3.ai first reported the four vulnerabilities to Ivanti on Oct. 15, and the software vendor acknowledged receipt the following day. Ivanti disclosed and patched the vulnerabilities, along with several other CVEs, on Jan.13. Hanely said Horizon3.ai agreed to wait an additional 30 days after the patch release to publish the technical details in order to give Ivanti customers more time to update their software.
An Ivanti spokesperson provided the following statement to Cybersecurity Dive: “Ivanti disclosed and released fixes on January 14, which addresses these vulnerabilities, and there has been no evidence of exploitation to date. As new information in the public domain increases the risk of potential exploitation, we encourage any EPM customers that have not already patched according to Ivanti’s previously released instructions to do so immediately.”
Editor’s note: This story has been updated to include comments provided by Ivanti.