Ivanti endpoint manager can become endpoint ravager • The Register

Safety engineers have launched a proof-of-concept exploit for 4 crucial Ivanti Endpoint Supervisor bugs, giving those that have not already put in patches launched in January additional incentive to revisit their to-do lists.

The 4 vulnerabilities, all of which had been rated 9.8 out of 10 CVSS severity scores, are tracked as CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159.

Ivanti described all 4 as absolute path traversal flaws and glued them for its Home windows-based product in its January replace.

On the time, the seller did not present a lot element in regards to the crucial safety holes apart from to notice {that a} profitable exploit would enable “a distant unauthenticated attacker to leak delicate info.”

Much more information in regards to the bugs is now obtainable due to the looks of a technical write-up by Zach Hanley, a vulnerability researcher at infosec consultancy Horizon3.ai. Hanely discovered and reported the issues to Ivanti in October 2024, and on Wednesday revealed a proof-of-concept (PoC) exploit.

Based on Hanley, all 4 flaws could be exploited by an unauthenticated attacker and could be abused “to coerce the Ivanti [Endpoint Manager] machine account credential for use in relay assaults, doubtlessly permitting for server compromise.”

In barely plainer English, what this all means is that it is potential for any miscreant who can attain the web-based APIs of a susceptible Ivanti Endpoint Supervisor deployment to make that software program attain out to a distant server when wanting up a listing, and thus leak the supervisor’s host machine’s NTLMv2 hash to that distant server, which could be doubtlessly used for account impersonation and different nefarious acts that result in a system compromise.

It is as simple as passing a path resembling \10.0.0.1tmpfactor[.]txt to elements of the API as a parameter, the supervisor then makes an attempt to authenticate with 10.0.0.1 to entry the trail, and thus leaks an NTLMv2 hash to that distant field.

Ivanti instructed us it has discovered “no proof” the issues have been focused, reminded us that patches can be found, and urged their adoption now that PoC code is obtainable as “new info within the public area will increase the chance of potential exploitation.”

That’s sound recommendation as attackers actually like poking holes in Ivanti merchandise, as was the case when Ivanti addressed zero-day exploits final month.

Ponder patch 2.0, too

No matter whether or not you utilized the January patch, Ivanti has urged all customers to implement a second model of its repair as a result of the primary prompted a problem with the Home windows “Motion” tab that prevented customers from creating new Home windows Motion packages or enhancing current ones.

“We have now up to date this patch to a V2 model that restores the ‘Actions’ tab,” a February 18 replace to Ivanti’s safety advisory famous. “If the unique model was put in, V2 must be put in as properly to revive the ‘Actions’ tab.” ®