Article Details
Scrape Timestamp (UTC): 2024-01-04 21:42:01.839
Original Article Text
Click to Toggle View
Ivanti warns critical EPM bug lets hackers hijack enrolled devices. Ivanti fixed a critical remote code execution (RCE) vulnerability in its Endpoint Management software (EPM) that can let unauthenticated attackers hijack enrolled devices or the core server. Ivanti EPM helps manage client devices running a wide range of platforms, from Windows and macOS to Chrome OS and IoT operating systems. The security flaw (tracked as CVE-2023-39366) impacts all supported Ivanti EPM versions, and it has been resolved in version 2022 Service Update 5. Attackers with access to a target's internal network can exploit the vulnerability in low-complexity attacks that don't require privileges or user interaction. "If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication," Ivanti says. "This can then allow the attacker control over machines running the EPM agent. When the core server is configured to use SQL express, this might lead to RCE on the core server." The company says it has no evidence that its customers have been affected by attackers exploiting this vulnerability. Currently, Ivanti blocks public access to an advisory containing full CVE-2023-39366 details, likely to provide customers with more time to secure their devices before threat actors can create exploits using the additional information. Zero-days exploited in the wild In July, state-affiliated hackers used two zero-day flaws (CVE-2023-35078 and CVE-2023-35081) in Ivanti's Endpoint Manager Mobile (EPMM), formerly MobileIron Core, to infiltrate the networks of multiple Norwegian government organizations. "Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability," CISA cautioned. "Consequently, CISA and NCSC-NO are concerned about the potential for widespread exploitation in government and private sector networks." A third zero-day (CVE-2023-38035) in Ivanti's Sentry software (formerly MobileIron Sentry) was exploited in attacks one month later. The company also patched over a dozen critical security vulnerabilities in its Avalanche enterprise mobile device management (MDM) solution in December and August. Ivanti's products are used by more than 40,000 companies globally to manage their IT assets and systems.
Daily Brief Summary
Ivanti has patched a critical RCE vulnerability in its Endpoint Management (EPM) software that allowed unauthenticated attackers to take over enrolled devices or even the core server.
The vulnerability, identified as CVE-2023-39366, affects all supported versions of Ivanti EPM and has been resolved with the release of version 2022 Service Update 5.
The security flaw enables attackers within the target's internal network to perform low-complexity, no-privilege attacks, utilizing SQL injection to execute arbitrary SQL queries.
Ivanti asserts that there have been no known instances of this vulnerability being exploited against its customers to date.
The company has limited public access to the detailed advisory on CVE-2023-39366, possibly to give customers additional time to implement protective measures against potential exploits.
The article references previous incidents where state-affiliated hackers exploited two zero-day vulnerabilities in Ivanti’s EPMM software to attack Norwegian government entities, as well as a third zero-day in the company's Sentry software.
Ivanti is a key player in the IT asset management space, with its products in use by over 40,000 organizations worldwide.