<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1462084720533760&amp;ev=PageView&amp;noscript=1">
Virsec Security Research Lab

CVE-2020-13769 SQL Injection in Ivanti Endpoint Manager

Virsec Security Research Lab Vulnerability Analysis

The Virsec Security Research Lab provides detailed analysis on recent and notable security vulnerabilities.

1.1        Vulnerability Summary

LDMS/alert_log.aspx in Ivanti Endpoint Manager through 2020.1 allows SQL Injection via a /remotecontrolauth/api/device request.

Ivanti Unified Endpoint Manager is an endpoint and user-profile management software that is core to: 1) discovering everything that touches your network; 2) automating software delivery; 3) reducing headaches with login performance; and 4) integrating actions with multiple IT solutions.

Researchers Andrei Constantin Scutariu, Lenk Ratchakrit, Calvin Yau found two URLS (as below) to be vulnerable to SQL Injection:

  1. POST /LDMS/alert_log.aspx?d=alert_log&tb=serverAlertLog.tb;

“filterValue” parameter

Type: Stacked, time-based blind, boolean-based blind
Example: filterValue=’;injection_query_here–

  1. POST /LDMS/alert_log.aspx?d=alert_log&tb=serverAlertLog.tb;

POST /remotecontrolauth/api/device
“global”, “displayname”, “ipaddress”, “owner” parameters
Type: Time-based blind, boolean-based blind
Example: “global”:”‘+(injection_query_here)+'”
This instance also requires a valid “sessionid” in the request.

Watch the video to learn more about this and other important vulnerabilities.

1.2        CVSS Score

The CVSS Base Score is 7.4 (High)

1.3        Affected Version

Ivanti Endpoint Manager versions <= 2020.1; <= 2019.1.3. Patched software is available in version 2020.1.1

1.4        Vulnerability Attribution

Andrei Constantin Scutariu, Lenk Ratchakrit, Calvin Yau

1.5        Risk Impact

The product appears in the “challenger” category of Gartner’s Magic quadrant of Unified Endpoint Management. SQL Injection vulnerabilities have the potential to become very serious very quickly. A carefully crafted SQL statement can cause tables to get dropped, web shells to be dropped on the attacked server and can lead to loss of sensitive PII. A public domain exploit is available here.

1.6        Virsec Security Platform (VSP) Support

The Virsec Security Platform (VSP)- Web can detect SQL Injection attacks reliably and can save its customers from this type of attack.

1.7        Reference Links

Download the full vulnerability report to learn more about this and other important vulnerabilities.