Post

Advisory CVE-2020-13770 – Ivanti Unified Endpoint Manager named pipe token impersonation privilege escalation

Advisory CVE-2020-13770 – Ivanti Unified Endpoint Manager named pipe token impersonation privilege escalation
Advisory CVE-2020-13770 – Ivanti Unified Endpoint Manager named pipe token impersonation privilege escalation
Posted By xnand
1 min read

Software: Ivanti Unified Endpoint Manager Affected Versions: <= 2020.1.1 Vendor page: www.ivanti.com CVE Reference: CVE-2020-13770 Published: 11/11/2020 CVSS 3.1 Score: 8.8 – AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Attack Vector: Local Credits: Andrei Constantin Scutariu, Lenk Ratchakrit, Calvin Yau

Summary

Several services are accessing named pipes with default or overly permissive security attributes; as these services run as user ‘NT AUTHORITY\SYSTEM’, the issue can be used to escalate privileges from a local standard or service account having SeImpersonatePrivilege (eg. user ‘NT AUTHORITY\NETWORK SERVICE’).

Mitigation

There is currently no fix for this issue. The vendor has yet to release a patch to address the vulnerability; it is advised to review the host configuration and monitor for suspicious activity.

Technical details

The process of exploiting the vulnerability consists in creating a named pipe server, waiting for the vulnerable service to connect to it as a client, extract the client’s token and use it to perform privileged actions as ‘NT AUTHORITY\SYSTEM’. As there can only be one server-side named pipe object, to exploit the vulnerability it might be required to create the named pipe object before the legitimate process does, or alternatively kill it or cause it to crash.

The following named pipe client processes and named pipe objects are affected on version <=2020.1.1:

Pipe name: \.\pipe\SQLLocal\ldmsdata Server process: C:\Program Files\Microsoft SQL Server\MSSQL13.LDMSDATA\MSSQL\Binn\sqlservr.exe Client processes:

  • C:\PROGRA~1\LANDesk\MANAGE~1\landesk\SAM\SamServer\bin\SAM.O365PS_Routines.exe
  • C:\Program Files\LANDesk\LDClient\LDdevmon.exe
  • C:\Program Files\LANDesk\ManagementSuite\AlertService.exe
  • C:\Program Files\LANDesk\ManagementSuite\BrokerService.exe
  • C:\Program Files\LANDesk\ManagementSuite\ManagedPlanet.Core.Barcode.exe
  • C:\Program Files\LANDesk\ManagementSuite\SchedQry.exe
  • C:\Program Files\LANDesk\ManagementSuite\MDMManagementService.exe
  • C:\Program Files\LANDesk\ManagementSuite\commands.service.exe
  • C:\Program Files\LANDesk\ManagementSuite\CoreSyncService.exe
  • C:\Program Files\LANDesk\ManagementSuite\ManagedPlanet.RapidDeploy.Service.exe
  • C:\Program Files\LANDesk\ManagementSuite\MPCore.exe
  • C:\Program Files\LANDesk\ManagementSuite\LDInv32.exe
  • C:\Program Files\LANDesk\ManagementSuite\SchedSvc.exe
  • C:\Program Files\LANDesk\ManagementSuite\ManagedPlanet.Common.DBMonitorService.exe
  • C:\Program Files\LANDesk\ManagementSuite\ManagedPlanet.Common.SoftwareManager.exe
  • C:\Program Files\LANDesk\ManagementSuite\ManagedPlanet.DiscoveryServices.Core.exe

Timeline

28/05/2020: Issue reported to the vendor 01/06/2020: Vendor acknowledged the issues 02/06/2020: CVE number assigned from MITRE 13/07/2020: 90 days notice period for disclosure given to the vendor 11/11/2020: Advisory published by JUMPSEC

Jumpsec, Research
advisory cve cve-2020-13770 ivanti named-pipe privesc
This post is licensed under CC BY 4.0 by the author.