Software maker Ivanti is urging customers of its end-point safety product to patch a critical vulnerability that makes it potential for unauthenticated attackers to execute malicious code inside affected networks.

The vulnerability, in a category generally known as a SQL injection, resides in all supported variations of the Ivanti Endpoint Supervisor. Also referred to as the Ivanti EPM, the software runs on a spread of platforms, together with Home windows, macOS, Linux, Chrome OS, and Web of Issues gadgets comparable to routers. SQL injection vulnerabilities stem from defective code that interprets person enter as database instructions or, in extra technical phrases, from concatenating knowledge with SQL code with out quoting the info in accordance with the SQL syntax. CVE-2023-39336, because the Ivanti vulnerability is tracked, carries a severity score of 9.6 out of a potential 10.

“If exploited, an attacker with entry to the interior community can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output with out the necessity for authentication,” Ivanti officers wrote Friday in a publish saying the patch availability. “This may then permit the attacker management over machines working the EPM agent. When the core server is configured to make use of SQL categorical, this would possibly result in RCE on the core server.”

RCE is brief for distant code execution, or the power for off-premises attackers to run code of their alternative. Presently, there’s no identified proof the vulnerability is underneath energetic exploitation.

Ivanti has additionally printed a disclosure that’s restricted solely to registered customers. A replica obtained by Ars mentioned Ivanti realized of the vulnerability in October. The personal disclosure in full is:

It’s unclear what “attacker with entry to the interior community” means. Underneath the official clarification of the Frequent Vulnerability Scoring System, the code Ivanti used in the disclosure, AV:A, is brief for “Assault Vector: Adjoining.” The scoring system outlined it as:

The susceptible part is certain to the community stack, however the assault is restricted on the protocol degree to a logically adjoining topology. This may imply an assault should be launched from the identical shared bodily or logical (e.g. native IP subnet) community…

In a thread on Mastodon, a number of safety consultants provided interpretations. One one who requested to not be recognized by title, wrote:

Every part else concerning the vulnerability [besides the requirement of access to the network] is extreme:

• Assault complexity is low
• Privileges not required
• No person interplay crucial
• Scope of the next impression to different programs is modified
• Influence to Confidentiality, Integrity and Availability is Excessive

Reid Wightman, a researcher specializing in the safety of industrial management programs at Dragos, offered this evaluation:

Hypothesis however it seems that Ivanti is mis-applying CVSS and the rating ought to probably be 10.0.

They are saying AV:A (that means, “adjoining community entry required”). Normally which means that one of the next is true: 1) the susceptible community protocol will not be routable (this often means it’s not an IP-based protocol that’s susceptible), or 2) the vulnerability can be a person-in-the-middle assault (though this often additionally has AC:H, since a person-in-the-middle requires some current entry to the community in order to truly launch the assault) or 3) (what I feel), the seller is mis-applying CVSS as a result of they suppose their susceptible service shouldn’t be uncovered aka “finish customers ought to have a firewall in place”.

The belief that the attacker should be an insider would have a CVSS modifier of PR:L or PR:H (privileges required on the system), or UI:R (tricking a respectable person into doing one thing that they should not). The belief that the attacker has another current entry to the community ought to add AC:H (assault complexity excessive) to the rating. Each would cut back the numeric rating.

I’ve had many an argument with distributors who argue (3), particularly, “no one ought to have the service uncovered so it is not likely AV:N”. However CVSS doesn’t account for “good community structure”. It solely cares about default configuration, and whether or not the assault will be launched from a distant community…it doesn’t think about firewall guidelines that almost all organizations ought to have in place, in half since you at all times discover counterexamples the place the service is uncovered to the Web. You may nearly at all times discover counterexamples on Shodan and comparable. Loads of “Ivanti Service Managers” uncovered on Shodan for instance, although, I am unsure if that is the precise susceptible service.

A 3rd participant, Ron Bowes of Cranium Safety, wrote: “Distributors—particularly Ivanti—have a behavior of underplaying safety points. They suppose that making it sound just like the vuln is much less unhealthy makes them look higher, when in actuality it simply makes their clients much less protected. That is an enormous pet peeve. I am not gonna choose distributors for having a vuln, however I’m going to guage them for dealing with it badly.”

Ivanti representatives didn’t reply to emailed questions.

Placing gadgets working Ivanti EDM behind a firewall is a greatest follow and can go an extended solution to mitigating the severity of CVE-2023-39336, however it will probably do nothing to forestall an attacker who has gained restricted entry to an worker workstation from exploiting the critical vulnerability. It’s unclear if the vulnerability will come underneath energetic exploitation, however the perfect course of motion is for all Ivanti EDM customers to put in the patch as quickly as potential.