Securing Against Ivanti Unified Endpoint Manager CVEs 2020-13769:74

31/03/2021

JUMPSEC recently released a number of advisories relating to vulnerabilities identified affecting Ivanti Unified Endpoint Manager, an endpoint and user profile management software integrating with a number of common operating systems including Windows, macOS, Linux, Unix, iOS, and Android. It is used by a vast number of organisations worldwide for device and user configuration management.

JUMPSEC identified vulnerabilities that would enable an attacker to:

  • CVE-2020-13769 - Perform injection attacks on the endpoint manager application due to improperly sanitized user inputs allowing direct interaction with the database, enabling a malicious user to issue arbitrary commands through SQL queries. This issue is exacerbated by the default user role for the database set at administrator level, granting higher levels of privilege to the attacker in the case of compromise.
  • CVE-2020-13770 - Escalate privileges from a local standard or service account as a result of several services accessing named pipes with default or overly permissive security attributes.
  • CVE-2020-13771 - Place a malicious DLL file to obtain code execution to elevate privileges by abusing services relying on Windows' DLL search order for loading DLL files not present on the filesystem.
  • CVE-2020-13772 - Access exposed information about the system that could be used in a range of further potential attacks.
  • CVE-2020-13773 - Perform client-side attacks by abusing improper input validation on the endpoint manager web console, whereby prompting a victim to open a malicious URL to obtain javascript code execution on the victim's browser would enable an attacker to obtain sensitive information and execute actions on their behalf.
  • CVE-2020-13774 - Achieve remote code execution on the server, allowing a malicious user to upload and execute malicious .aspx files as a result of improper input validation on file upload functionality, caused by insufficient file extension validation and insecure file operations on the uploaded image.

JUMPSEC recommends that organisations using Ivanti Unified Endpoint Manager look to identify where vulnerable instances of the software are running. The remediation status of these vulnerabilities are recommended mitigations where appropriate are provided below.

CVE
CVE-2020-13769 CVSS V3.1
Score: 8.8
Risk: High
Advisory: https://labs.jumpsec.com/advisory-cve-2020-13769-ivanti-uem-sql-injection/

Security Alert:
https://forums.ivanti.com/s/article/Security-Alert-CVE-2020-13769?language=en_US
Ivanti has resolved this issue. The fix is included in Endpoint Manager 2020.1 SU1 and Endpoint Manager 2019.1 SU4. Customers are advised to update to address this security concern. JUMPSEC has tested and validated the effectiveness of this patch.
CVE-2020-13770 CVSS V3.1
Score: 7.8
Risk: High
Advisory: https://labs.jumpsec.com/advisory-cve-2020-13770-ivanti-uem-named-pipe-token-impersonation/

Security Alert: 
https://forums.ivanti.com/s/article/Security-Alert-CVE-2020-13770?language=en_US
There is currently no fix for this issue. Ivanti recommends a number of steps to mitigate and/or limit the impact of this risk, which can be found in the Security Alert. JUMPSEC advises that organisations review the host configuration and monitor for suspicious activity.
CVE-2020-13771 CVSS V3.1
Score: 7.8
Risk: High
Advisory: https://labs.jumpsec.com/advisory-cve-2020-13771-ivanti-uem-dll-hijacking/

Security Alert:
https://forums.ivanti.com/s/article/Security-Alert-CVE-2020-13771?language=en_US
The vendor has released an update partially fixing the issue. 2019.1.4 and 2020.1.1 releases can be installed to remediate some of the instances; the remaining instances remain outstanding. Ivanti has provided guidance on mitigating the risk further in the Security Alert. JUMPSEC advises that organisations review the host configuration and monitor for suspicious activity.
CVE-2020-13772 CVSS V3.1
Score: 5.3
Risk: Medium
Advisory: https://labs.jumpsec.com/cve-2020-13772-ivanti-uem-system-information-disclosure/

Security Alert:
https://forums.ivanti.com/s/article/Security-Alert-CVE-2020-13772?language=en_US
There is currently no fix for this issue. The vendor has yet to release a patch to address the vulnerability. Ivanti has provided mitigation recommendations in the Security Alert. JUMPSEC advises that organisations review the host configuration and monitor for suspicious activity. If possible, consider disabling or whitelisting access to the affected URLs.
CVE-2020-13773 CVSS V3.1
Score: 5.4
Risk: Medium
Advisory:https://labs.jumpsec.com/cve-2020-13773-ivanti-uem-reflected-xss/

Security Alert:
https://forums.ivanti.com/s/article/Security-Alert-CVE-2020-13773?language=en_US
There is currently no fix for this issue. The vendor has yet to release a patch to address the vulnerability. JUMPSEC advises that organisations review the host configuration and monitor for suspicious activity.
CVE-2020-13774 CVSS V3.1
Score: 9.9
Risk: Critical
Advisory:https://labs.jumpsec.com/advisory-cve-2020-13774-ivanti-uem-rce/

Security Alert:
https://forums.ivanti.com/s/article/Security-Alert-CVE-2020-13774?language=en_US
Ivanti has resolved this issue. This issue has been resolved in EPM 2020.1 SU1 and EPM 2019.1 SU4. Customers are encouraged to update to ensure they have the latest security improvements and fixes. The remaining portion will be resolved in a future update.JUMPSEC has tested and validated the effectiveness of the patch.
CVE
CVE-2020-13769
CVSS V3.1
Score: 8.8
Risk: High
Advisory: https://labs.jumpsec.com/advisory-cve-2020-13769-ivanti-uem-sql-injection/

Security Alert:
https://forums.ivanti.com/s/article/Security-Alert-CVE-2020-13769?language=en_US
Ivanti has resolved this issue. The fix is included in Endpoint Manager 2020.1 SU1 and Endpoint Manager 2019.1 SU4. Customers are advised to update to address this security concern. JUMPSEC has tested and validated the effectiveness of this patch.
CVE-2020-13770
CVSS V3.1
Score: 7.8
Risk: High
Advisory: https://labs.jumpsec.com/advisory-cve-2020-13770-ivanti-uem-named-pipe-token-impersonation/

Security Alert: 
https://forums.ivanti.com/s/article/Security-Alert-CVE-2020-13770?language=en_US
There is currently no fix for this issue. Ivanti recommends a number of steps to mitigate and/or limit the impact of this risk, which can be found in the Security Alert. JUMPSEC advises that organisations review the host configuration and monitor for suspicious activity.
CVE-2020-13771
CVSS V3.1
Score: 7.8
Risk: High
Advisory: https://labs.jumpsec.com/advisory-cve-2020-13771-ivanti-uem-dll-hijacking/

Security Alert:
https://forums.ivanti.com/s/article/Security-Alert-CVE-2020-13771?language=en_US
The vendor has released an update partially fixing the issue. 2019.1.4 and 2020.1.1 releases can be installed to remediate some of the instances; the remaining instances remain outstanding. Ivanti has provided guidance on mitigating the risk further in the Security Alert. JUMPSEC advises that organisations review the host configuration and monitor for suspicious activity.
CVE-2020-13772
CVSS V3.1
Score: 5.3
Risk: Medium
Advisory: https://labs.jumpsec.com/cve-2020-13772-ivanti-uem-system-information-disclosure/

Security Alert:
https://forums.ivanti.com/s/article/Security-Alert-CVE-2020-13772?language=en_US
There is currently no fix for this issue. The vendor has yet to release a patch to address the vulnerability. Ivanti has provided mitigation recommendations in the Security Alert. JUMPSEC advises that organisations review the host configuration and monitor for suspicious activity. If possible, consider disabling or whitelisting access to the affected URLs.
CVE-2020-13773
CVSS V3.1
Score: 5.4
Risk: Medium
Advisory:https://labs.jumpsec.com/cve-2020-13773-ivanti-uem-reflected-xss/

Security Alert:
https://forums.ivanti.com/s/article/Security-Alert-CVE-2020-13773?language=en_US
There is currently no fix for this issue. The vendor has yet to release a patch to address the vulnerability. JUMPSEC advises that organisations review the host configuration and monitor for suspicious activity.
CVE-2020-13774 CVSS V3.1
Score: 9.9
Risk: Critical
Advisory:https://labs.jumpsec.com/advisory-cve-2020-13774-ivanti-uem-rce/

Security Alert:
https://forums.ivanti.com/s/article/Security-Alert-CVE-2020-13774?language=en_US
Ivanti has resolved this issue. This issue has been resolved in EPM 2020.1 SU1 and EPM 2019.1 SU4. Customers are encouraged to update to ensure they have the latest security improvements and fixes. The remaining portion will be resolved in a future update.JUMPSEC has tested and validated the effectiveness of the patch.

Detecting Exploitation

JUMPSEC has provided guidance to detect exploitation of CVE-2020-13770 and CVE-2020-13771, which at the time of writing are yet to be resolved with a patch. The full technical guidance can be found here:

https://labs.jumpsec.com/detecting-known-dll-hijacking-and-named-pipe-token-impersonation-attacks-with-sysmon/

Following the process described in the article will enable you to detect local privilege escalation attacks using Sysmon (a part of the Windows Sysinternals toolsuite) which can track, record and store detailed system events. These events can then be viewed within Windows Event Viewer, and are usually collected by SIEM software for aggregation and analysis.

 

Ready to find out more?

Scroll to Top