Software: Ivanti Endpoint Manager
Affected Versions: <= 2020.1; <= 2019.1.3
Vendor page: www.ivanti.com
CVE Reference: CVE-2020-13769
Published: 13/11/2020
CVSS 3.1 Score: 7.4 – AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Attack Vector: Remote, authenticated
Credits: Andrei Constantin Scutariu, Lenk Ratchakrit, Calvin Yau
Summary
A number of web components in Endpoint Manager do not properly sanitize user input when executing SQL queries, leaving the application vulnerable to injection attacks towards the underlying database.
On a standard installation with default options, the account used to query the database is database administrator.
Solution
The issue has been successfully resolved by the vendor in version 2020.1.1. Customers can install the latest available software update to fix the vulnerability. The vendor also reported this has also been fixed in version 2019.1.4, although this has not been verified by JUMPSEC.
Technical details
The following endpoints and parameters are vulnerable and exploitable by any authenticated user:
POST /LDMS/alert_log.aspx?d=alert_log&tb=serverAlertLog.tb
“filterValue” parameter
Type: Stacked, time-based blind, boolean-based blind
Example: filterValue=’;injection_query_here–
POST /remotecontrolauth/api/device
“global”, “displayname”, “ipaddress”, “owner” parameters
Type: Time-based blind, boolean-based blind
Example: “global”:”‘+(injection_query_here)+'”
This instance also requires a valid “sessionid” in the request.
Timeline
15/04/2020: Issue reported to the vendor
16/04/2020: Vendor acknowledged the issues
02/06/2020: CVE number assigned from MITRE
13/07/2020: 90 days notice period for disclosure given to the vendor
13/11/2020: Advisory published by JUMPSEC
