In a recent discovery made by security researcher Hanley, several flaws were identified in the Ivanti Endpoint Manager (EPM) solution that could potentially put enterprise servers at risk. Hanley specifically labeled these vulnerabilities as credential coercion issues, as they could be exploited by unauthenticated attackers to manipulate the Ivanti EPM machine account credential for use in NTLM relay attacks. The implications of such an attack could lead to a compromise of the server’s security.
Ivanti EPM is a critical tool for organizations as it provides monitoring and management capabilities for a range of desktop and mobile devices. The server component of Ivanti EPM is built using .NET and offers various API endpoints for interaction.
The root of the problem lies in the lack of proper sanitization of inputs in several unauthenticated API endpoints within the Ivanti EPM system. Attackers could exploit this vulnerability by passing UNC absolute paths to certain methods, namely GetHashForFile, GetHashForSingleFile, GetHashForWildcard, and GetHashForWildcardRecursive. These methods are responsible for generating hashes for files located in specified directories.
By taking advantage of these flaws, attackers could potentially gain unauthorized access to sensitive files and compromise the integrity of the server. The ability to coerce the machine account credential opens up the possibility for malicious actors to launch NTLM relay attacks, a type of attack that can be particularly damaging to an organization’s security posture.
It is crucial for organizations using Ivanti EPM to be aware of these vulnerabilities and take appropriate action to mitigate the risks. This may include applying security patches provided by Ivanti, implementing additional security measures, and conducting thorough security assessments to identify and address any other potential weaknesses in their systems.
Overall, the discovery of these credential coercion issues in Ivanti EPM serves as a reminder of the importance of ongoing vigilance and proactive security measures in today’s increasingly complex and interconnected digital landscape. Organizations must stay one step ahead of cyber threats by staying informed, addressing vulnerabilities promptly, and continuously improving their security practices to safeguard their valuable data and infrastructure.