The US Cybersecurity and Infrastructure Security agency has added three vulnerabilities in Ivanti Endpoint Manager (EPM) to its known exploited vulnerabilities (KEV) catalog signaling they’ve seen in-the-wild exploitation. The flaws received patches in January after being reported privately to Ivanti by the researcher who found them.
The three vulnerabilities, tracked as CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161 are described by Ivanti as absolute path traversals and were part of a larger patch that addressed four critical and 12 high-severity flaws. The company noted at the time it had no evidence of these flaws being exploited in the wild.
The three vulnerabilities, plus a fourth one, were discovered and reported to Ivanti by researcher Zach Hanley with penetration testing firm Horizon3.ai. Hanley wrote up the research in a blog post in February that also included proof-of-concept exploit code.
Credential coercion
Hanley described the flaws as credential coercion issues because they could allow unauthenticated attackers to coerce the Ivanti EPM machine account credential to be used in NTLM relay attacks, which could in turn result in server compromise.
Ivanti EPM is an asset monitoring and management solution for enterprises that can manage a variety of desktop and mobile devices. The server component is an application written in .NET that exposes various API endpoints.
Hanley found that the input to several unauthenticated API endpoints was not properly sanitized and could be used to pass UNC absolute paths to several methods: GetHashForFile, GetHashForSingleFile, GetHashForWildcard and GetHashForWildcardRecursive — all of which had to do with obtaining hashes for files in specified directories.
“Compromising the Endpoint Manager server itself would lead to the ability to compromise all of the EPM clients, making this avenue especially impactful,” the researcher wrote.
Ivanti products in attackers’ crosshairs
Multiple Ivanti products have been targeted by attackers over the past year, especially by state-sponsored cyberespionage groups who developed zero-day exploits for them.
Back in January Ivanti patched a critical remote code execution flaw in its Connect Secure SSL VPN appliance that a Chinese APT group had exploited as a zero-day since at least mid-December.
That same group had exploited zero-day flaws in the same product one year prior.
No Responses