JUMPSEC researchers have discovered a series of vulnerabilities in (LANDesk) Ivanti Endpoint Manager, a centralized software solution for administering and monitoring multiple devices in a computer system. Successful exploitation of these vulnerabilities could allow an attacker to disrupt the functionality of the software e.g. prevent patching leaving endpoints exposed, or move laterally in order to compromise other services or data residing on the same network.
JUMPSEC has followed a responsible disclosure process with Ivanti but, as yet, the vulnerabilities remain unpatched.
Organisations use Ivanti Endpoint Manager software as a way to gain efficiencies when managing Windows, macOS, iOS and Android devices. The technology is widely adopted and provides the functionality to control software updates and, if used maliciously, pose a significant risk. The discovered vulnerabilities affect various different components of Endpoint Manager and range from remote code execution to local privilege escalation. Remotely exploitable issues require the attacker to hold valid credentials in order to authenticate to the platform, however the access level (role) required by the attacker is low. Attackers that have local access to hosts where the affected software is installed might be able to escalate their privileges to the highest level.
Organisations should ensure they make themselves familiar with their implementation of the technology, including the scale and the functionality.
Technical details of each vulnerability can be found on JUMPSEC Labs, however Ivanti [Landesk] is yet to patch all of the vulnerabilities and therefore JUMPSEC advises organisations to do the following:
- Validate their potential exposure through credential auditing, particular those that validate against well-publicised credential dumps.
- Review the configuration of the host hosting the software and monitor for suspicious activity.
- Review user access and restrict access to the affected resources where possible.
- Restrict access to the web management console’s file upload URL.
JUMPSEC will release further technical guidance, specifically to aide security operations teams, on Wednesday 11th November 2020 JUMPSEC Labs – https://labs.jumpsec.com/