CVE-2023-39336: Ivanti Addresses Major RCE Vulnerability

by do son · Published January 4, 2024 · Updated January 5, 2024

Ivanti, a renowned name in IT asset and systems management, has addressed a severe security loophole in its Endpoint Management software (EPM). This fix is a crucial step in safeguarding over 40,000 companies worldwide that rely on Ivanti’s solutions.

The vulnerability, tagged as CVE-2023-39336 (CVSS 9.6), posed a significant risk in the form of a remote code execution (RCE) flaw. This vulnerability was particularly alarming due to its potential impact on all supported versions of Ivanti EPM, a platform known for its versatility in managing a plethora of client devices. From Windows and macOS to Chrome OS and IoT systems, Ivanti EPM’s widespread use made this security flaw a major concern.

What made CVE-2023-39336 notably perilous was its low-complexity attack vector. The attackers, without needing any privileges or user interaction, could exploit this vulnerability, provided they had access to the target’s internal network. This kind of exploit, involving an unspecified SQL injection, allowed attackers to execute arbitrary SQL queries and retrieve outputs without requiring authentication. This vulnerability opened doors to potential control over machines running the EPM agent. More critically, if the core server utilized SQL express, it could lead to remote code execution on the server itself.

“If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication. This can then allow the attacker control over machines running the EPM agent. When the core server is configured to use SQL express, this might lead to RCE on the core server,” Ivanti says.

In response to this looming threat, Ivanti has taken proactive measures by releasing a security update in version 2022 Service Update 5. This update addresses the critical flaw, thereby fortifying the defense mechanism of the EPM software against such intrusive attacks.

While the severity of the vulnerability cannot be understated, Ivanti has reassured its clientele that there is no evidence of this security flaw being exploited by attackers. This statement offers some solace but also serves as a reminder of the constant vigilance required in the cybersecurity domain.

Update: Change from CVE-2023-39366 to CVE-2023-39336

Ivanti mentioned in their blog post the wrong CVE. It should be CVE-2023-39336. CVE-2023-39366 is an XSS in Cacti.