Skip to the content.

DIVD-2021-00037 - Critical vulnerabilities in ITarian MSP platform and on-premise solution

Our reference DIVD-2021-00037
Case lead Victor Gevers
Author
Researcher(s)
CVE(s)
Products
  • ITarian All-in-one SaaS for MSPs
  • ITarian On-Premise
  • ITarian Endpoint Manager Communication Client
Recommendation Update the ITarian Endpoint Manager Communication Client wherever possible. Stop using the On-Premise version.
Patch status Not patched
Status Closed
Last modified 02 Nov 2022 21:18 CET

Summary

DIVD researchers have identified multiple vulnerabilities in ITarian products. The vulnerabilities have been found in the following products:

ITarian on-premise platform is vulnerable to:

Endpoint Manager Communication Client was vulnerable to:

The Saas Platform had an additional vulnerability:

On 18 Feb 2022, the vulnerability in the Endpoint Manager Communications Client was resolved. The other vulnerabilities were resolved on 19 May 2022.

The coordinated vulnerability process worked but suffered from a communications breakdown, which caused a serious delay in the issues being resolved. However, once there was a direct communications line between DIVD researchers and ITarian’s software engineering, the issues were resolved quickly.

The consequences of these vulnerabilities could have been severe. By chaining the XSS in the helpdesk function with CVE-2022-25152 an attacker would theoretically be able to create a service desk ticket that, when viewed by a user with a valid session token, would execute a workflow on all clients with superuser privileges. It is a small consolidation that the service desk module is not turned on by default.

It is important to note that CVE-2022-25151 and CVE-2022-25152 are still present in the on-premise version of the ITarian platform. Even though ITarian still offers the software for download, this version of the software was discontinued over 2 years ago and ITarian has informed us that it will not be updated.

What you can do

All users of ITarian products should be aware of the privilege escalation on Endpoint Manager Communications Client on Windows. This agent is installed by default on all Windows systems managed via either the Saas or on-premise version of ITarian and allowed an attacker with low privilege system access to escalate privileges to SYSTEM. We advise users to update this agent to at least version v7.0.42012.22030

The vulnerabilities we reported in the SaaS service, have all been resolved in version v3.49.0. This is an upgrade performed by ITarian, and no user action is required.

ITarian has informed us that support for their on-premise solution has seized over two years ago and that the vulnerabilities we found will therefore not be fixed in this version. Given the seriousness of the solution and the power of the platform, we would recommend those using the on-premise version to: a. Investigate alternative solutions. Either the ITarian SaaS service or another on-premise product as this product is no longer supported b. To fully disconnect the ITarian on-premise solution from the internet, and c. To not rely upon the permissions and approvals model built into ITarian.

What we are doing

We have worked with ITarian to the best of our abilities to get these vulnerabilities fixed in a timely manner.

At this moment in time, we have identified that there are a, very limited number of, ITarian on-premise installations still internet accessible. We will try to contact the owners of these installations to warn them.

Timeline

Date Description
01 Dec 2021 Three vulnerabilities discovered
01 Dec 2021 Additional vulnerability discovered
06 Jan 2022 Vulnerabilities reported to Brad Miller, the ITarian CEO via email. But, the email bounced
06 Jan 2022 Vulnerabilities reported to ITarian support via email
11 Jan 2022 We were able to reach a contact at a sister company of ITarian via LinkedIn
12 Jan 2022 Reported the detailed findings to our contact via email. Contact reports that the details of the vulnerabilities have been forwarded to the ITarian CEO and that information was received.
12 Jan 2022-
19 Jan 2022
Time to acknowledge receipt
19 Jan 2022 Our contact confirms receipt of the details and states that he ‘will verify this with my engineering team and let you know’
14 Feb 2022 Released a TLP-Amber warning to Trusted Information Sharing Partners
12 Jan 2022-
18 Feb 2022
Time to acknowledge CVE-2022-25153
18 Feb 2022 Unknown to us, ITarian patches CVE-2022-25153 in version v7.0.42012.22030 of the End Point Manager Communications Client
12 Jan 2022-
18 Feb 2022
Time to patch CVE-2022-25153
28 Apr 2022 Informed our contact, the ITarian Chairman & Founder, CEO, CMO, and CISO via LinkedIn as well as support and Sales via email of pending publication on 1 Jun 2022
29 Apr 2022 DIVD gets introduced to a Technical Executive at ITarian/Comodo, remediation process starts
05 May 2022 DIVD and Technical Executive have an in-depth conversation. ITarian acknowledges CVE-2022-25151, CVE-2022-25152 as well as the XSS in the helpdesk function
12 Jan 2022-
05 May 2022
Time to acknowledge CVE-2022-25151, CVE-2022-25152, and XSS
19 May 2022 CVE-2022-25151, CVE-2022-25152 and XSS patched in SaaS version
12 Jan 2022-
19 May 2022
Time to patch CVE-2022-25151, CVE-2022-25152, and XSS
12 Jan 2022-
08 Jun 2022
Time to (limited) public disclosure
08 Jun 2022 DIVD publicly releases limited information about the vulnerabilities
12 Jan 2022-
01 Jul 2022
Time to full public disclosure
01 Jul 2022 Planned full disclosure
10 Aug 2022 Full disclosure
10 Oct 2022 Case Closed
gantt title DIVD-2021-00037 - Critical vulnerabilities in ITarian MSP platform and on-premise solution dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2021-00037 - Critical vulnerabilities in ITarian MSP platform and on-premise solution (313 days) :2021-12-01, 2022-10-10 section Events Three vulnerabilities discovered : milestone, 2021-12-01, 0d Additional vulnerability discovered : milestone, 2021-12-01, 0d Vulnerabilities reported to Brad Miller, the ITarian CEO via email. But, the email bounced : milestone, 2022-01-06, 0d Vulnerabilities reported to ITarian support via email : milestone, 2022-01-06, 0d We were able to reach a contact at a sister company of ITarian via LinkedIn : milestone, 2022-01-11, 0d Reported the detailed findings to our contact via email. Contact reports that the details of the vulnerabilities have been forwarded to the ITarian CEO and that information was received. : milestone, 2022-01-12, 0d Time to acknowledge receipt (7 days) : 2022-01-12, 2022-01-19 Our contact confirms receipt of the details and states that he ‘will verify this with my engineering team and let you know’ : milestone, 2022-01-19, 0d Released a TLP-Amber warning to Trusted Information Sharing Partners : milestone, 2022-02-14, 0d Time to acknowledge CVE-2022-25153 (37 days) : 2022-01-12, 2022-02-18 Unknown to us, ITarian patches CVE-2022-25153 in version v7.0.42012.22030 of the End Point Manager Communications Client : milestone, 2022-02-18, 0d Time to patch CVE-2022-25153 (37 days) : 2022-01-12, 2022-02-18 Informed our contact, the ITarian Chairman & Founder, CEO, CMO, and CISO via LinkedIn as well as support and Sales via email of pending publication on 1 Jun 2022 : milestone, 2022-04-28, 0d DIVD gets introduced to a Technical Executive at ITarian/Comodo, remediation process starts : milestone, 2022-04-29, 0d DIVD and Technical Executive have an in-depth conversation. ITarian acknowledges CVE-2022-25151, CVE-2022-25152 as well as the XSS in the helpdesk function : milestone, 2022-05-05, 0d Time to acknowledge CVE-2022-25151, CVE-2022-25152, and XSS (113 days) : 2022-01-12, 2022-05-05 CVE-2022-25151, CVE-2022-25152 and XSS patched in SaaS version : milestone, 2022-05-19, 0d Time to patch CVE-2022-25151, CVE-2022-25152, and XSS (127 days) : 2022-01-12, 2022-05-19 Time to (limited) public disclosure (147 days) : 2022-01-12, 2022-06-08 DIVD publicly releases limited information about the vulnerabilities : milestone, 2022-06-08, 0d Time to full public disclosure (170 days) : 2022-01-12, 2022-07-01 Planned full disclosure : milestone, 2022-07-01, 0d Full disclosure : milestone, 2022-08-10, 0d Case Closed : milestone, 2022-10-10, 0d

More information: