CVE-2023-39336: SQL Injection Vulnerability in Ivanti Endpoint Manager

HawkEye CSOC Kuwait

Ivanti Endpoint Manager is an all-in-one endpoint management solution. It provides a unified solution for managing user profiles and all client devices that support Windows, macOS, Linux, Chrome OS, and IoT.

Background:

On January 4, 2024, Ivanti issued a security advisory about a SQL injection vulnerability in their Endpoint Manager (EPM) solution, CVE-2023-39336. The vulnerability was assigned a CVSS score of 9.6, indicating that an attacker with internal network access might exploit it to run arbitrary SQL queries without authentication.

Vulnerability Details:

While no technical details about the vulnerability have been released, threat actors frequently exploit new vulnerabilities in the platform or even produce zero days for them.

To exploit this vulnerability, threat actors must first acquire access to the victim’s environment. Therefore, the impact of this vulnerability may be minimized. However, endpoint management solutions are appealing targets for threat actors because they enable elevated access to thousands of endpoints, which threat actors can employ to move laterally within an environment or conduct ransomware attacks.

Once exploited, an intruder with internal network access can utilize an unspecified SQL injection to carry out arbitrary SQL queries and fetch results without requiring authentication. Consequently, the attacker could gain control over devices running the EPM agent. This vulnerability is applicable to all MSSQL instances. Furthermore, if the core server is set up to utilize Microsoft SQL Express, it could potentially result in Remote Code Execution (RCE) on the core server.

Affected Versions:

ProductAffected VersionFixed Version
Ivanti Endpoint ManagerEPM 2021EPM 2022 SU5
EPM 2022 SU4 and prior

Recommendations:

Customers must upgrade to Ivanti Endpoint Manager (EPM) 2022 SU5 or above to fix the vulnerability.

References:

https://forums.ivanti.com/s/article/SA-2023-12-19-CVE-2023-39336?language=en_US

https://www.cisa.gov/news-events/alerts/2023/07/28/ivanti-releases-security-updates-epmm-address-cve-2023-35081

Ready to get started?

Contact us to arrange a half day
Managed SOC and XDR workshop in Dubai

Ready to get started?

Contact us to arrange a half day Managed SOC and XDR workshop in Dubai

© 2024 HawkEye – Managed CSOC and XDR powered by DTS Solution. All Rights Reserved.
This is a staging environment