Advisory CVE-2020-13771 – Ivanti Unified Endpoint Manager DLL search order hijacking privilege escalation

by | Nov 11, 2020 | Jumpsec, Research

Software: Ivanti Unified Endpoint Manager
Affected Versions: <= 2020.1.1
Vendor page: www.ivanti.com
CVE Reference: CVE-2020-13771
Published: 11/11/2020
CVSS 3.1 Score: 8.1 – AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector: Local
Credit: Andrei Constantin Scutariu, Lenk Ratchakrit, Calvin Yau

Summary

Various services running as user ‘NT AUTHORITY\SYSTEM’ rely on Windows’ DLL search order for loading DLL files that are not present on the filesystem. Under certain circumstances, a local attacker would be able to place a malicious DLL file to obtain code execution in the vulnerable service’s context to elevate privileges.

Mitigation

The vendor has released an update partially fixing the issue. 2019.1.4 and 2020.1.1 releases can be installed to remediate some of the instances; the remaining instances remain outstanding. It is advised to review the host configuration and monitor for suspicious activity.

Technical details

Affected services attempt to load DLL libraries which are not found on the filesystem relying on Windows’ DLL search order. A local attacker able to place a purposely crafted library in one of the directories searched, such as one listed in the PATH system environment variable, would gain code execution in the context of the vulnerable service.

Vulnerable instances on version <= 2020.1.1

Service “LANDesk Inventory Server”:

  • ldprofileui.dll

Vulnerable instances on version <= 2020.1

Service “LANDesk Inventory Server”:

  • wfapi.dll
  • DMIAPI32.DLL
  • logonsrv.dll
  • ldprofileui.dll

Service “LANDesk(R) Console Redirection Service”:

  • OOBCredentials.dll

Timeline

15/04/2020: Issue reported to the vendor
16/04/2020: Vendor acknowledged the issues
02/06/2020: CVE number assigned from MITRE
13/07/2020: 90 days notice period for disclosure given to the vendor
11/11/2020: Advisory published by JUMPSEC

Disclaimer

The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.

GitHub Activity

@JumpsecLabs JumpsecLabs made JumpsecLabs/TokenSmith public · December 20, 2024 02:22

TokenSmith generates Entra ID access & refresh tokens on offensive engagements. It is suitable for both covert adversary simulations and penetratio…

Go Updated Dec 20

 

Follow JUMPSECLabs

Disclaimer

The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.

You may also like…

Share This