CVE-2024-13159 Scanner

Ivanti Endpoint Manager (EPM) is an IT asset management and patch management software widely used by organizations to manage and secure their endpoints. It helps administrators deploy patches, monitor devices, and ensure that all endpoints comply with the organization’s security standards. However, vulnerabilities in EPM can have severe consequences, as it manages sensitive configurations and data across the network. These vulnerabilities can lead to unauthorized access, compromise of network assets, and data breaches, affecting the overall security of the organization. The software is used in various industries, including healthcare, finance, and technology, where data integrity and endpoint security are critical. EPM’s vulnerability can also affect its integration with network devices and remote endpoints, exposing the entire network to risks.

The vulnerability identified in Ivanti EPM is related to improper input validation in the GetHashForWildcardRecursive endpoint. This allows an unauthenticated attacker to coerce the EPM machine account credentials. The attacker can exploit this vulnerability by providing a remote UNC path through the wildcard parameter, which triggers NTLM authentication without proper validation. The vulnerability primarily targets the SOAP-based API used by Ivanti EPM, which can be exploited remotely to bypass authentication mechanisms. This flaw enables attackers to perform credential coercion attacks without requiring valid authentication, making it a critical security issue. Unauthorized attackers could leverage this vulnerability to gain unauthorized access to sensitive machine account credentials.

The vulnerability resides in the improper handling of input parameters in the GetHashForWildcardRecursive SOAP service endpoint. The attacker can pass a malicious wildcard that includes a UNC path, which the EPM system processes without proper checks. This triggers NTLM authentication to the remote path specified in the attack. The attacker does not need valid credentials to exploit this vulnerability. This can allow the attacker to manipulate the system’s authentication process, leading to the coercion of credentials without any user interaction. The vulnerability only requires the attacker to send a specially crafted SOAP request to the vulnerable endpoint, making it easy to exploit over the network.

If successfully exploited, this vulnerability can lead to significant security risks. An attacker can coerce sensitive machine account credentials, which can be used for further attacks such as lateral movement within the network. Attackers can potentially gain elevated privileges or unauthorized access to protected systems. This can result in the exposure of critical data, unauthorized system control, and data integrity breaches. The attacker could also use this access to install malicious software or backdoors, compromising the entire network infrastructure. Organizations using Ivanti EPM are at risk of these potential impacts unless mitigated properly.

References:

• https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/
• https://nvd.nist.gov/vuln/detail/CVE-2024-13159