Advisory CVE-2020-13769 – Ivanti Unified Endpoint Manager SQL injection

Software: Ivanti Endpoint Manager Affected Versions: <= 2020.1; <= 2019.1.3 Vendor page: www.ivanti.com CVE Reference: CVE-2020-13769 Published: 13/11/2020 CVSS 3.1 Score: 7.4 – AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L Attack Vector: Remote, authenticated Credits: Andrei Constantin Scutariu, Lenk Ratchakrit, Calvin Yau

Summary

A number of web components in Endpoint Manager do not properly sanitize user input when executing SQL queries, leaving the application vulnerable to injection attacks towards the underlying database. On a standard installation with default options, the account used to query the database is database administrator.

Solution

The issue has been successfully resolved by the vendor in version 2020.1.1. Customers can install the latest available software update to fix the vulnerability. The vendor also reported this has also been fixed in version 2019.1.4, although this has not been verified by JUMPSEC.

Technical details

The following endpoints and parameters are vulnerable and exploitable by any authenticated user:

POST /LDMS/alert_log.aspx?d=alert_log&tb=serverAlertLog.tb “filterValue” parameter Type: Stacked, time-based blind, boolean-based blind Example: filterValue=’;injection_query_here–

POST /remotecontrolauth/api/device “global”, “displayname”, “ipaddress”, “owner” parameters Type: Time-based blind, boolean-based blind Example: “global”:”‘+(injection_query_here)+’” This instance also requires a valid “sessionid” in the request.

Timeline

15/04/2020: Issue reported to the vendor 16/04/2020: Vendor acknowledged the issues 02/06/2020: CVE number assigned from MITRE 13/07/2020: 90 days notice period for disclosure given to the vendor 13/11/2020: Advisory published by JUMPSEC