Aperçu
Ivanti EPM Cloud Services Appliance (CSA) contains a code injection vulnerability that allows unauthenticated users to execute arbitrary code with limited permissions (nobody user). The vulnerability exists in versions before 4.6.0-512 and requires no authentication to exploit. La vulnérabilité a été divulguée le December 8, 2021. CISA a identifié CVE-2021-44529 comme étant exploitée et est connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
The Ivanti EPM Cloud Services Appliance contains a code injection vulnerability in its web interface that allows unauthenticated attackers to execute arbitrary code. The vulnerability stems from improper input validation and sanitization of user-supplied data that gets processed by the application without proper security checks.
La vulnérabilité est classifiée comme CWE-94 (Improper Control of Generation of Code ('Code Injection')) etCWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indiquant sa nature critical.
Impact
Attackers can execute arbitrary code on the affected system with limited permissions (nobody user). While the code execution context is restricted, attackers can still potentially read sensitive data, modify system configuration, launch further attacks, or disrupt service availability. This is a critical vulnerability as it allows unauthenticated remote code execution on a network-accessible appliance.
Mitigation et contournements
Upgrade Ivanti EPM Cloud Services Appliance to version 4.6.0-512 or later. Contact Ivanti support for upgrade assistance and detailed instructions specific to your deployment. Les versions suivantes incluent les correctifs nécessaires : 4.6.0-512 and later.
Comme contournements temporaires : implement network-level access controls to restrict access to the ivanti epm csa web interface to trusted networks/ip addresses only. use a web application firewall (waf) or network firewall to limit inbound traffic.; disable unnecessary network services and endpoints on the appliance if they are not required for your deployment., et monitor system logs and network traffic for suspicious patterns indicative of code injection attempts..
Recommandation de CISA : Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Ressources additionnelles
Source : Ce rapport a été généré par IA
