Ivanti fastened a vital distant code execution (RCE) vulnerability in its Endpoint Administration software program (EPM) that may let unauthenticated attackers hijack enrolled gadgets or the core server.
Ivanti EPM helps handle shopper gadgets operating a variety of platforms, from Home windows and macOS to Chrome OS and IoT working techniques.
The safety flaw (tracked as CVE-2023-39366) impacts all supported Ivanti EPM variations, and it has been resolved in model 2022 Service Replace 5.
Attackers with entry to a goal’s inner community can exploit the vulnerability in low-complexity assaults that do not require privileges or consumer interplay.
“If exploited, an attacker with entry to the inner community can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output with out the necessity for authentication,” Ivanti says.
“This will then enable the attacker management over machines operating the EPM agent. When the core server is configured to make use of SQL specific, this may result in RCE on the core server.”
The corporate says it has no proof that its prospects have been affected by attackers exploiting this vulnerability.
At present, Ivanti blocks public entry to an advisory containing full CVE-2023-39366 particulars, probably to supply prospects with extra time to safe their gadgets earlier than menace actors can create exploits utilizing the extra data.
Zero-days exploited within the wild
In July, state-affiliated hackers used two zero-day flaws (CVE-2023-35078 and CVE-2023-35081) in Ivanti’s Endpoint Supervisor Cellular (EPMM), previously MobileIron Core, to infiltrate the networks of a number of Norwegian authorities organizations.
“Cellular machine administration (MDM) techniques are enticing targets for menace actors as a result of they supply elevated entry to 1000’s of cellular gadgets, and APT actors have exploited a earlier MobileIron vulnerability,” CISA cautioned.
“Consequently, CISA and NCSC-NO are involved concerning the potential for widespread exploitation in authorities and personal sector networks.”
A 3rd zero-day (CVE-2023-38035) in Ivanti’s Sentry software program (previously MobileIron Sentry) was exploited in assaults one month later.
The corporate additionally patched over a dozen vital safety vulnerabilities in its Avalanche enterprise cellular machine administration (MDM) answer in December and August.
Ivanti’s merchandise are utilized by greater than 40,000 firms globally to handle their IT property and techniques.