DIVD-2022-00021 - Ivanti EPM CSA remote code execution

Our reference DIVD-2022-00021
Case lead Victor Gevers
Author Pepijn van der Stap
Researcher(s)
  • Pepijn van der Stap
CVE(s)
Product Ivanti EPM Cloud Services Appliance
Versions CSA 4.6 4.5 - EOF Aug 2021
Recommendation If you received a notification of a vulnerability, patch your system with the information provided in this notification.
Patch status Available
Workaround sed -i '/Obscure Tokens/{N;N;N;N;N;N;N;N;N;d}' /opt/landesk/broker/webroot/lib/csrf-magic.php
Status Closed
Last modified 20 Nov 2022 15:47 CET

Summary

On December 2, 2021, Ivanti published advisory about a critical remote code exectuion vulnerability affecting servers serving Ivanti EPM Cloud Services Appliance. A public proof of concept is available.

A backdoor had been added to a third-party library used by this product. Patches and workarounds are available. To remediate this vulnerability, apply Patch 512 to CSA version 4.6. If you are running an older version of the CSA, Ivanti strongly urges you to first upgrade to 4.6 and then apply Patch 512.

If you are unable to upgrade, SSH in to the CSA and execute the following command:

$ sed -i '/Obscure Tokens/{N;N;N;N;N;N;N;N;N;d}' /opt/landesk/broker/webroot/lib/csrf-magic.php

What you can do

If you receive a notification, make sure the vulnerability described in that notification is patched. The notification will be sent along with a location and description of the vulnerability. If you have any questions regarding the mitigation of these vulnerabilities, feel free to reply to the email and we’ll gladly help.

What we are doing

DIVD is currently searching for vulnerable instances of Ivanti EPM CSA. Any instance that is found to be vulnerable to this vulnerability will be notified.

Timeline

Date Description
02 Dec 2021 Ivanti publishes security advisory
24 Feb 2022 Ivanti updates security advisory
20 Mar 2022 Proof of concept is being widely shared online
25 Mar 2022 DIVD opens case DIVD-2022-00021
25 Mar 2022 Scanning
26 Mar 2022 First batch of notifications sent out
26 Mar 2022 First version of this case file online
08 Jun 2022 Rescan and scan, more notifications sent out
08 Jun 2022 Data concerning the Netherlands shared with the Digital Trust Center and the Dutch Security Clearing House (Security Meldpunt)
20 Sep 2022 Rescan, notifications sent out
13 Nov 2022 Rescan, notifications sent out
20 Nov 2022 Closing this case.
gantt title DIVD-2022-00021 - Ivanti EPM CSA remote code execution dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00021 - Ivanti EPM CSA remote code execution (240 days) :2022-03-25, 2022-11-20 section Events Ivanti publishes security advisory : milestone, 2021-12-02, 0d Ivanti updates security advisory : milestone, 2022-02-24, 0d Proof of concept is being widely shared online : milestone, 2022-03-20, 0d DIVD opens case DIVD-2022-00021 : milestone, 2022-03-25, 0d Scanning : milestone, 2022-03-25, 0d First batch of notifications sent out : milestone, 2022-03-26, 0d First version of this case file online : milestone, 2022-03-26, 0d Rescan and scan, more notifications sent out : milestone, 2022-06-08, 0d Data concerning the Netherlands shared with the Digital Trust Center and the Dutch Security Clearing House (Security Meldpunt) : milestone, 2022-06-08, 0d Rescan, notifications sent out : milestone, 2022-09-20, 0d Rescan, notifications sent out : milestone, 2022-11-13, 0d Closing this case. : milestone, 2022-11-20, 0d

More information