Ivanti on Jan. 4 patched a critical vulnerability (CVSS 9.6) in its endpoint manager (EPM) software that could have let an attacker with internal access launch a remote code execution (RCE).
The vulnerability — CVE-2023-39336 — if exploited, could let an attacker leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication.
In a blog post, Ivanti said this can then let an attacker control the machines running the EPM agent and when the core server has been configured to use SQL Express, this could lead to an RCE on the core server.
Ivanti made clear it had no indication that customers are impacted by the vulnerability. However, it said the bug affects all supported versions of the product and was resolved in the Ivanti EPM 2022 Service Update 5. The vendor credited hir0ot for identifying and reporting the Ivanti EPM issue.
Security pros should take note that Ivanti has experienced issues with its products over the past several months. In August, Ivanti disclosed that a zero-day vulnerability in its Ivanti Sentry gateway was being actively exploited in the wild. In the summer of 2023, its endpoint manager mobile (EPMM) platform was exposed to two high profile critical vulnerabilities, one of which was exploited in an attack on 12 ministries within the Norwegian government.
Too many IT assets blind to endpoint protection?
Malicious actors have become very adept at hijacking vulnerable endpoints and using them to access data and corporate networks, explained Greg Fitzgerald, co-founder at Sevco Security. Fitzgerald said the good news with the Ivanti vulnerability is that it does not appear as if anyone has exploited the bug. The bad news: this type of vulnerability is just the tip of the iceberg when it comes to endpoint security.
Fitzgerald pointed out that recent research from Sevco uncovered a deeper problem: many companies are blind to IT assets that are missing critical controls like endpoint protection. The research found that 11% of all IT assets are missing endpoint protection in the first place. The same data shows that 15% of IT assets aren’t covered by enterprise patch management solutions and that 31% of IT assets are not covered by enterprise vulnerability management systems.
“These data points combine to tell a frightening story,” said Fitzgerald. “Too many IT assets are invisible to security teams. You can’t protect or patch an IT asset that you don’t know about. That’s why an accurate, up-to-date IT asset inventory that reflects a company’s dynamic and constantly changing attack surface is critically important.”
Balasz Greksza, threat response lead at Ontinue, added that along with launching an RCE, the most recent flaw could remove security products on hosts running the EPM Agent by uninstalling/disabling them, deploying malicious drivers or ransomware enmasse, and also leave implants for persistence on critical hosts of the organization.
“The flaw is also relatively low-noise to exploit and would require security incident responders to directly monitor the SQL queries,” said Greksza.