Ivanti warns of serious vulnerability that could allow hackers to take over EPM machines
Ivanti is warning users of its Endpoint Management service about a serious vulnerability that could allow remote takeover of a machine without authentication. A patch has now been released for the bug.
Ivanti tracks the bug as CVE-2023-39336. It gets a CVSS score of 9.6. The company says in a blog post that it has no indications that customers have been affected by the bug, but does recommend that customers update their software. A patch for the bug was included in Ivanti EPM 2022 Service Update 5.
For a successful attack, an attacker must first have access to an internal network. Once that access is established, the attacker can execute new SQL queries via an undescribed SQL injection. For example, it is possible to filter data from a server.
With those commands it would also be possible to take over devices running Ivanti’s Endpoint Manager software. If the core server had SQL enabled, an attacker could also take over that server. According to Ivanti, it was possible to perform those actions without the need for further user authentication.
It is the second time in a relatively short time that Ivanti has been in the news due to a serious vulnerability. That also happened in July last year. It then emerged that Norwegian government systems had been hacked using a zero-day in Ivanti’s mobile EPM. It was also possible to carry out an attack without authentication.