Ivanti has resolved a critical vulnerability in its Endpoint Manager (EPM) solution, designated as CVE-2023-39336, carrying a severity score of 9.6/10.
This vulnerability, impacting EPM versions 2021 and 2022 before SU5, has the potential to facilitate Remote Code Execution (RCE) on servers affected by it.
The vulnerability encompasses an SQL injection that operates without requiring authentication, granting attackers the capability to execute arbitrary SQL queries and potentially gain control over machines running the EPM agent. The severity of the issue is heightened, particularly when the core server utilizes SQL Express.
Details of the CVE-2023-39336 Vulnerability Affecting Ivanti EPM
Ivanti has issued an advisory available and restricted access for its customers here for comprehensive details and further information. While specific vulnerability details are currently withheld, likely to allow customers time for mitigation, they are slated to be disclosed in the upcoming days, and this blog will be promptly updated with the latest information.
In its security update for Avalanche, Ivanti addressed 22 vulnerabilities last month in its Mobile Device Management (MDM) product, with 13 of them categorized as critically severe.
These vulnerabilities were found in older versions of Avalanche (going back to 6.3.1 and potentially impacting all 6.X versions) and encompassed stack-based, unauthenticated, and heap-based buffer overflows. These vulnerabilities have the potential to allow Remote Code Execution without requiring user interaction. Over the course of the year, we have posted blog entries covering other noteworthy vulnerabilities affecting Ivanti products.