CVE-2024-13161 Scanner

Ivanti Endpoint Manager (EPM) is a comprehensive endpoint management solution widely used by organizations to manage and secure their IT infrastructure. It provides capabilities such as software distribution, patch management, and security configuration. This product is essential for managing corporate endpoints, ensuring that they remain secure, compliant, and well-maintained across an organization's network. However, like many networked systems, Ivanti EPM is susceptible to vulnerabilities that can compromise its effectiveness and expose critical assets to attackers. The vulnerability in question is found within a specific endpoint of Ivanti EPM and can be exploited remotely by unauthenticated attackers. The affected version and more specific version details are not provided, but the vulnerability itself can severely impact the security of the system.

The vulnerability identified in Ivanti Endpoint Manager involves improper input validation within the GetHashForSingleFile endpoint. This flaw allows an unauthenticated attacker to coerce the EPM machine account credentials via the use of a remote UNC path. When an attacker specifies a crafted wildcard parameter, the EPM system triggers NTLM authentication, which could potentially expose sensitive credentials. This type of vulnerability is categorized as a credential coercion issue and has a critical CVSS score of 9.8. Exploitation of this vulnerability could lead to unauthorized access or disclosure of credentials, which could facilitate further attacks on the system.

The vulnerability resides in the GetHashForSingleFile function of Ivanti EPM, where the wildcard parameter is improperly validated. This improper validation allows an attacker to inject a malicious UNC path in the wildcard parameter, triggering NTLM authentication. The attacker can then coerce the system to authenticate to an attacker-controlled server, leaking sensitive credentials such as machine account credentials. The attack does not require any authentication, making it a severe remote unauthenticated attack vector. The vulnerable parameter is the wildcard used in the SOAP request body, and the exploitation of this vulnerability is contingent on the system’s failure to properly validate this input.

If successfully exploited, this vulnerability allows an attacker to coerce sensitive machine account credentials through NTLM authentication. These credentials may be used in further attacks, such as lateral movement within the network, privilege escalation, or data exfiltration. The attacker can potentially access restricted systems or compromise the overall security of the network. Exploiting this vulnerability could also result in a full compromise of the targeted endpoint, making it a high-impact attack. Organizations relying on Ivanti Endpoint Manager for endpoint security and management could face significant risks if this vulnerability is not mitigated.

REFERENCES

• https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/
• https://nvd.nist.gov/vuln/detail/CVE-2024-13161