www.belgium.be Logo of the federal government

WARNING: IVANTI ENDPOINT MANAGER CRITICAL VULNERABILITY

Reference: 
Advisory #2024-01
Version: 
1.0
Affected software: 
Ivanti EPM 2021/EPM 2022 prior to SU5
Type: 
SQL Injection
CVE/CVSS: 

CVE-2023-39336 :CVSS 9.6(CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Sources

https://forums.ivanti.com/s/article/SA-2023-12-19-CVE-2023-39336?languag...

Risks

An attacker with access to the local network can exploit a vulnerability in Ivanti Endpoint Manager (EPM) to gain control of all devices with the EPM agent installed. This could result in a complete compromise of all enrolled machines in your organization.
 
The Centre for Cybersecurity Belgium warns that Ivanti products have been exploited by threat actors in the past.

Description

CVE-2023-39336 is an SQL injection vulnerability allowing an attacker to execute arbitrary SQL queries and retrieve output without the need for authentication. This vulnerability can be used to control other machines running the EPM agent software. 
 
Additionally, if the server on which Ivanti EPM is installed uses SQL Express, this vulnerability could lead to remote code execution (RCE) on the host server.
Ivanti has not yet publicly disclosed the details of this vulnerability. 

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing. The latest version for Ivanti EPM at the time of writing is 2022 SU5.
 
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
 

References

https://www.bleepingcomputer.com/news/security/ivanti-warns-critical-epm...

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39336