SQL Injection Flaw Affects All Supported Versions of Ivanti Endpoint Manager
Ivanti issued an urgent alert to users of its endpoint security product to patch a critical vulnerability that exposes systems to potential exploitation by unauthorized attackers.
In an advisory, the mobile endpoint security vendor warned its customer of an SQL injection vulnerability tracked as CVE-2023-39336 in all supported versions of its widely used Ivanti Endpoint Manager, also known as Ivanti EPM.
The vulnerability allows attackers to execute malicious code within affected networks without authentication. The affected software is designed to operate on various platforms, including Linux, Chrome OS, Windows, macOS, and even Internet of Things devices such as routers.
Ivanti EPM also helps automate and simplify applying patches and updates to operating systems and applications across all endpoints. This is crucial for keeping software up-to-date and protected against known vulnerabilities.
The primary purpose of Ivanti EPM is to provide IT administrators with a centralized platform for efficiently managing and securing endpoints, which include desktops, laptops, servers, and other devices.
In August, Ivanti disclosed a critical vulnerability that could allow an attacker to control an Ivanti Sentry gateway server between mobile devices and back-end infrastructure.
The vulnerability, tracked as CVE-2023-38035, had a severity score of 9.8 and can be chained with previously disclosed zero-days in Ivanti’s Endpoint Manager Mobile platform for exploitation, said researchers at Mnemonic, who reported the bug.
Vulnerability Addressed
SQL injection vulnerabilities arise from flawed code that interprets user input as database commands. In more technical terms, the advisory said that these vulnerabilities occur when data is concatenated with SQL code without proper quoting by SQL syntax standards.
“If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without needing authentication. This can then allow the attacker control over machines running the EPM agent. When the core server is configured to use SQL Express, this might lead to remote code execution on the core server,” the advisory said.
The vulnerability in Ivanti’s product has a severity rating of 9.6 out of 10.
The company said that such a high severity rating underscores the urgent need for users to apply the available patch promptly to safeguard their systems and networks.
Failure to promptly address this critical vulnerability could lead to severe consequences, as attackers could exploit the flaw to execute unauthorized code and compromise the security of the affected networks, the company said.
Ivanti has recommended that users prioritize the installation of the provided patch to mitigate the risk associated with this security vulnerability.
Attackers targeted other Ivanti software flaws about six months ago. On July 23, patched a critically rated zero-day vulnerability in its Endpoint Manager Mobile platform – formerly known as MobileIron Core – after an unidentified threat actor used it to attack a dozen Norway government ministries
The company later released a second emergency patch
Government security agencies in Australia and Germany advised users to update their vulnerable Sentry products.
