A vulnerability patched in the Ivanti Endpoint Manager (EPM), an asset monitoring solution for enterprises, could potentially allow managed devices to be hijacked. Users are advised to deploy the patch as soon as possible because vulnerabilities in device management solutions have been attractive targets for attackers in the past.
The vulnerability, tracked as CVE-2023-39336, affects EPM 2022 SU4 and all previous versions and has a 9.6 out of 10 criticality score. According to the company’s advisory, it’s an SQL injection flaw that allows attackers located on the same network to execute arbitrary SQL queries and retrieve output without the need for authentication from the EPM server.
Successful exploitation can lead to the attackers taking control over machines running the EPM agent or executing arbitrary code on the server if the server is configured with Microsoft SQL Express. Otherwise, the impact applies to all instances of MSSQL.
Ivanti EPM patches comes after fixes to its EDM solution
The EPM patches come after the company fixed 20 vulnerabilities on December 20 in its Avalanche enterprise mobile device management (EDM) solution. While there are no reports of these flaws being targeted in the wild for now, zero-day vulnerabilities in Ivanti device management products have been exploited before.
In August, Ivanti warned customers about an authentication bypass flaw in its Sentry product, formerly known as MobileIron Sentry, a gateway that secure traffic between mobile devices and back-end enterprise systems. The US Cybersecurity and Infrastructure Security Agency (CISA) later added the vulnerability to its Known Exploited Vulnerabilities catalog. A month before, state-sponsored attackers exploited two zero-day vulnerabilities (CVE-2023-35078 and CVE-2023-35081) in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, to break into Norwegian government networks.
In the past, multiple ransomware threat actors have exploited vulnerabilities in device management software, including software used by IT managed services providers (MSPs) potentially impacting thousands of businesses. Due to their extensive capabilities and privileged permissions on systems these management agents can act as remote access trojans if hijacked.