JUMPSEC recently released a number of advisories relating to vulnerabilities identified affecting Ivanti Unified Endpoint Manager, an endpoint and user profile management software integrating with a number of common operating systems including Windows, macOS, Linux, Unix, iOS, and Android. It is used by a vast number of organisations worldwide for device and user configuration management.
JUMPSEC identified vulnerabilities that would enable an attacker to:
- CVE-2020-13769 – Perform injection attacks on the endpoint manager application due to improperly sanitized user inputs allowing direct interaction with the database, enabling a malicious user to issue arbitrary commands through SQL queries. This issue is exacerbated by the default user role for the database set at administrator level, granting higher levels of privilege to the attacker in the case of compromise.
- CVE-2020-13770 – Escalate privileges from a local standard or service account as a result of several services accessing named pipes with default or overly permissive security attributes.
- CVE-2020-13771 – Place a malicious DLL file to obtain code execution to elevate privileges by abusing services relying on Windows’ DLL search order for loading DLL files not present on the filesystem.
- CVE-2020-13772 – Access exposed information about the system that could be used in a range of further potential attacks.
- CVE-2020-13774 – Achieve remote code execution on the server, allowing a malicious user to upload and execute malicious .aspx files as a result of improper input validation on file upload functionality, caused by insufficient file extension validation and insecure file operations on the uploaded image.
JUMPSEC recommends that organisations using Ivanti Unified Endpoint Manager look to identify where vulnerable instances of the software are running. The remediation status of these vulnerabilities are recommended mitigations where appropriate are provided below.
JUMPSEC has provided guidance to detect exploitation of CVE-2020-13770 and CVE-2020-13771, which at the time of writing are yet to be resolved with a patch. The full technical guidance can be found here: