JUMPSEC recently released a number of advisories relating to vulnerabilities identified affecting Ivanti Unified Endpoint Manager, an endpoint and user profile management software integrating with a number of common operating systems including Windows, macOS, Linux, Unix, iOS, and Android.
It is used by a vast number of organisations worldwide for device and user configuration management.
JUMPSEC identified vulnerabilities that would enable an attacker to:
- CVE-2020-13769 – Perform injection attacks on the endpoint manager application due to improperly sanitized user inputs allowing direct interaction with the database, enabling a malicious user to issue arbitrary commands through SQL queries. This issue is exacerbated by the default user role for the database set at administrator level, granting higher levels of privilege to the attacker in the case of compromise.
- CVE-2020-13770 – Escalate privileges from a local standard or service account as a result of several services accessing named pipes with default or overly permissive security attributes.
- CVE-2020-13771 – Place a malicious DLL file to obtain code execution to elevate privileges by abusing services relying on Windows’ DLL search order for loading DLL files not present on the filesystem.
- CVE-2020-13772 – Access exposed information about the system that could be used in a range of further potential attacks.
- CVE-2020-13774 – Achieve remote code execution on the server, allowing a malicious user to upload and execute malicious .aspx files as a result of improper input validation on file upload functionality, caused by insufficient file extension validation and insecure file operations on the uploaded image.
JUMPSEC recommends that organisations using Ivanti Unified Endpoint Manager look to identify where vulnerable instances of the software are running. The remediation status of these vulnerabilities are recommended mitigations where appropriate are provided below.
JUMPSEC has provided guidance to detect exploitation of CVE-2020-13770 and CVE-2020-13771, which at the time of writing are yet to be resolved with a patch. The full technical guidance can be found here.
Status and Recommended Actions
CVE-2020-13769 CVSS V3.1
Ivanti has resolved this issue. The fix is included in Endpoint Manager 2020.1 SU1 and Endpoint Manager 2019.1 SU4. Customers are advised to update to address this security concern. JUMPSEC has tested and validated the effectiveness of this patch.
CVE-2020-13770 CVSS V3.1
There is currently no fix for this issue. Ivanti recommends a number of steps to mitigate and/or limit the impact of this risk, which can be found in the Security Alert. JUMPSEC advises that organisations review the host configuration and monitor for suspicious activity.
CVE-2020-13771 CVSS V3.1
The vendor has released an update partially fixing the issue. 2019.1.4 and 2020.1.1 releases can be installed to remediate some of the instances; the remaining instances remain outstanding. Ivanti has provided guidance on mitigating the risk further in the Security Alert. JUMPSEC advises that organisations review the host configuration and monitor for suspicious activity.
CVE-2020-13772 CVSS V3.1
There is currently no fix for this issue. The vendor has yet to release a patch to address the vulnerability. Ivanti has provided mitigation recommendations in the Security Alert. JUMPSEC advises that organisations review the host configuration and monitor for suspicious activity. If possible, consider disabling or whitelisting access to the affected URLs.
CVE-2020-13774 CVSS V3.1
Ivanti has resolved this issue. This issue has been resolved in EPM 2020.1 SU1 and EPM 2019.1 SU4. Customers are encouraged to update to ensure they have the latest security improvements and fixes. The remaining portion will be resolved in a future update.JUMPSEC has tested and validated the effectiveness of the patch.