CVE-2020-13769: SQL Injection in Ivanti Endpoint Manager
Virsec Security Research Lab Vulnerability Report
The Virsec Security Research Lab, helmed by Virsec CTO, Satya Gupta, provides timely, relevant analysis about prevalent security vulnerabilities.
1.1 Vulnerability Summary
LDMS/alert_log.aspx in Ivanti Endpoint Manager through 2020.1 allows SQL Injection via a /remotecontrolauth/api/device request.
Ivanti Unified Endpoint Manager is an endpoint and user-profile management software that is core to: 1) discovering everything that touches your network; 2) automating software delivery; 3) reducing headaches with login performance; and 4) integrating actions with multiple IT solutions.
Researchers Andrei Constantin Scutariu, Lenk Ratchakrit, Calvin Yau found two URLS (as below) to be vulnerable to SQL Injection:
- POST /LDMS/alert_log.aspx?d=alert_log&tb=serverAlertLog.tb;
“filterValue” parameter
Type: Stacked, time-based blind, boolean-based blind
Example: filterValue=’;injection_query_here–
- POST /LDMS/alert_log.aspx?d=alert_log&tb=serverAlertLog.tb;
POST /remotecontrolauth/api/device
“global”, “displayname”, “ipaddress”, “owner” parameters
Type: Time-based blind, boolean-based blind
Example: “global”:”‘+(injection_query_here)+’”
This instance also requires a valid “sessionid” in the request.
Watch the video to learn more about this and other important vulnerabilities.
1.2 CVSS Score
The CVSS Base Score is 7.4 (High)
1.3 Affected Version
Ivanti Endpoint Manager versions <= 2020.1; <= 2019.1.3. Patched software is available in version 2020.1.1
1.4 Vulnerability Attribution
Andrei Constantin Scutariu, Lenk Ratchakrit, Calvin Yau
1.5 Risk Impact
The product appears in the “challenger” category of Gartner’s Magic quadrant of Unified Endpoint Management. SQL Injection vulnerabilities have the potential to become very serious very quickly. A carefully crafted SQL statement can cause tables to get dropped, web shells to be dropped on the attacked server and can lead to loss of sensitive PII. A public domain exploit is available here.
1.6 Virsec Security Platform (VSP) Support:
The Virsec Security Platform (VSP)- Web can detect SQL Injection attacks reliably and can save its customers from this type of attack.
1.7 Reference Links:
- https://nvd.nist.gov/vuln/detail/CVE-2020-13769
- https://labs.jumpsec.com/advisory-cve-2020-13769-ivanti-uem-sql-injection/
Download the full vulnerability report to learn more about this and other important vulnerabilities.
The post CVE-2020-13769: SQL Injection in Ivanti Endpoint Manager appeared first on Virsec Systems.
*** This is a Security Bloggers Network syndicated blog from Blog – Virsec Systems authored by Satya Gupta. Read the original post at: https://virsec.com/cve-2020-13769-sql-injection-in-ivanti-endpoint-manager/
