It has been discovered that Ivanti EPM is vulnerable to Remote Code Execution and SQL Injection. The vulnerability has the MITRE ID CVE-2023-39336 and has a Critical CVSS score of 9.6 out of 10. The vulnerability permits attackers to execute arbitrary SQL queries and retrieve output without the need for authentication.
Description:
Ivanti® Endpoint Manager helps IT administrators gather detailed device data, automate software and OS deployments, and quickly fix user issues.
The vulnerability with CVE-2023-39336, according to Ivanti allows an attacker with access to the internal network, to leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without privileges and authentication. This gives the attacker the ability to take over machines with EPM agent installed. If the core server is configured to use Microsoft SQL Express, the vulnerability could lead to RCE on the core server.
Affected versions:
The vulnerability affects all supported versions of the product, specifically Ivanti EPM 2022 SU4 and all prior versions.
Defensive Measures:
It is important that the users follow some measures to prevent possible exploitation of the vulnerability from potential threat actors.
It is recommended that the users upgrade to “Ivanti EPM 2022 Service Update 5” to patch the vulnerability.
References:
- https://www.ivanti.com/resources/v/doc/ivi/2029/4452c0227e05
- https://forums.ivanti.com/s/article/SA-2023-12-19-CVE-2023-39336?language=en_US
- https://www.ivanti.com/blog/security-update-for-ivanti-epm
- https://www.bleepingcomputer.com/news/security/ivanti-warns-critical-epm-bug-lets-hackers-hijack-enrolled-devices/