CVE-2023-39336: SQL Injection Vulnerability in Ivanti Endpoint Manager

Background:

On January 4, 2024, Ivanti issued a security advisory about a SQL injection vulnerability in their Endpoint Manager (EPM) solution, CVE-2023-39336. The vulnerability was assigned a CVSS score of 9.6, indicating that an attacker with internal network access might exploit it to run arbitrary SQL queries without authentication.

Vulnerability Details:

While no technical details about the vulnerability have been released, threat actors frequently exploit new vulnerabilities in the platform or even produce zero days for them.

To exploit this vulnerability, threat actors must first acquire access to the victim’s environment. Therefore, the impact of this vulnerability may be minimized. However, endpoint management solutions are appealing targets for threat actors because they enable elevated access to thousands of endpoints, which threat actors can employ to move laterally within an environment or conduct ransomware attacks.

Once exploited, an intruder with internal network access can utilize an unspecified SQL injection to carry out arbitrary SQL queries and fetch results without requiring authentication. Consequently, the attacker could gain control over devices running the EPM agent. This vulnerability is applicable to all MSSQL instances. Furthermore, if the core server is set up to utilize Microsoft SQL Express, it could potentially result in Remote Code Execution (RCE) on the core server.

Affected Versions:

Recommendations:

Customers must upgrade to Ivanti Endpoint Manager (EPM) 2022 SU5 or above to fix the vulnerability.

References:

https://forums.ivanti.com/s/article/SA-2023-12-19-CVE-2023-39336?language=en_US
https://www.cisa.gov/news-events/alerts/2023/07/28/ivanti-releases-security-updates-epmm-address-cve-2023-35081