Ivanti Patches Critical Endpoint Security VulnerabilitySQL Injection Flaw Affects All Supported Versions of Ivanti Endpoint Manager
Ivanti issued an urgent alert to users of its endpoint security product to patch a critical vulnerability that exposes systems to potential exploitation by unauthorized attackers.
The mobile endpoint security vendor in an advisory warned its customers of an SQL injection vulnerability tracked as CVE-2023-39336, which is found in all supported versions of its widely used Ivanti Endpoint Manager, also known as Ivanti EPM.
The vulnerability allows attackers to execute malicious code within affected networks without needing authentication. The affected software is designed to operate on various platforms, including Linux, Chrome OS, Windows, macOS and even internet of things devices such as routers.
Ivanti EPM also helps automate and simplify the process of applying patches and updates to operating systems and applications across all endpoints. This is crucial for keeping software up to date and protected against known vulnerabilities.
The primary purpose of Ivanti EPM is to provide IT administrators with a centralized platform for efficiently managing and securing endpoints, which include desktops, laptops, servers and other devices.
In August, Ivanti disclosed a critical vulnerability that could allow an attacker to take complete control of an Ivanti Sentry gateway server, which stands between mobile devices and back-end infrastructure (see: New Zero-Day Bug Affects All Versions of Ivanti Sentry).
The vulnerability, tracked as CVE-2023-38035, had a severity score of 9.8 and can be chained with previously disclosed zero-days in Ivanti's Endpoint Manager Mobile platform for exploitation, said researchers at Mnemonic, who reported the bug.
SQL injection vulnerabilities arise from flawed code that interprets user input as database commands. In more technical terms, these vulnerabilities occur when data is concatenated with SQL code without proper quoting by SQL syntax standards, the advisory said.
"If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication. This can then allow the attacker control over machines running the EPM agent. When the core server is configured to use SQL express, this might lead to remote code execution on the core server," the advisory said.
The vulnerability in Ivanti's product has been assigned a severity rating of 9.6 out of a possible 10.
The company said that such a high severity rating underscores the urgent need for users to apply the available patch promptly to safeguard their systems and networks.
Failure to address this critical vulnerability promptly could potentially lead to severe consequences, as attackers could exploit the flaw to execute unauthorized code and compromise the security of the affected networks, the company said.
Ivanti has recommended that users prioritize the installation of the provided patch to mitigate the risk associated with this security vulnerability.
Attackers targeted other Ivanti software flaws about six months ago. The company on July 23 patched a critically rated zero-day vulnerability in its Endpoint Manager Mobile platform - formerly known as MobileIron Core - after an unidentified threat actor used it to attack a dozen Norway government ministries (see: Ivanti Zero-Day Used in Norway Government Breach).
The company later released a second emergency patch (see: Ivanti Says Second Zero-Day Used in Norway Government Breach).