Advisory CVE-2020-13774 – Ivanti Unified Endpoint Manager authenticated RCE via file upload

by | Nov 12, 2020 | Jumpsec, Research

Software: Ivanti Endpoint Manager
Affected Versions: <= 2020.1; <= 2019.1.3
Vendor page: www.ivanti.com
CVE Reference: CVE-2020-13774
Published: 12/11/2020
CVSS 3.1 Score: 9.9 – AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector: Remote, authenticated
Credits: Andrei Constantin Scutariu, Lenk Ratchakrit, Calvin Yau

Summary

Improper validation on file upload functionality present in Ivanti Unified Endpoint Manager’s web management console permits an authenticated user to upload .aspx files and execute them on the MS IIS server’s context. The issue is caused by insufficient file extension validation and insecure file operations on the uploaded image, which upon failure will leave the temporarily created files in an accessible location on the server.

Solution

The issue has been successfully resolved by the vendor in version 2020.1.1. Customers can install the latest available software update to fix the vulnerability. The vendor also communicated this has also been fixed in version 2019.1.4, although this has not been verified by JUMPSEC.

Technical details

The “/LDMS/softwaredistribution/EditLaunchPadDialog.aspx” URL permits the upload of an image file on the server. Security controls on the file extension are implemented client-side and can thus be easily bypassed. By crafting a proper .ico image file containing ASP code and uploading it with .aspx extension, it is later possible to access and execute the malicious file on “/landesk/files/<filename>.aspx”.

The user must be authenticated and either part of “LANDesk Admnistrators” group or both part of “Landesk Management Suite” group and be assigned to the “Software Distribution” role in order to access the vulnerable component.

Timeline

15/04/2020: Issue reported to the vendor
16/04/2020: Vendor acknowledged the issues
02/06/2020: CVE number assigned from MITRE
13/07/2020: 90 days notice period for disclosure given to the vendor
12/11/2020: Advisory published by JUMPSEC

Disclaimer

The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.

GitHub Activity

@JumpsecLabs JumpsecLabs made JumpsecLabs/TokenSmith public · December 20, 2024 02:22

TokenSmith generates Entra ID access & refresh tokens on offensive engagements. It is suitable for both covert adversary simulations and penetratio…

Go 2 Updated Dec 20

 

Follow JUMPSECLabs

Disclaimer

The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.

You may also like…

Share This