Moderate
CVE-2023-28324
CVE-2023-28324
Description
A improper input validation vulnerability exists in Ivanti Endpoint Manager 2022 and below that could allow privilege escalation or remote code execution.
Add Assessment
Technical Analysis
CVE-2023-28324 is an unauthenticated RCE affecting Ivanti EPM versions 2022 SU2 and prior. It was noted by Ivanti on June 7th, 2023 and later analyzed by Horizon3. The root cause of the vulnerability is an exposed .NET remoting method that can be used to execute an arbitrary OS command on the affected server. The .NET remoting service changes it’s port on each boot and they are typically unprivileged, high ports that are used. An attacker would need to scan high TCP port ranges to identify a listening service.
Once found however, the attacker can invoke Request method on the LANDesk.AgentPortal.IAgentPortal service to execute an arbitrary command. Likewise, the GetResult method can be used to obtain the command output. The command is executed in the context of NT AUTHORITY\SYSTEM. A medium attacker value was selected due to the requirement of finding and connecting to the service. The high, unprivileged port is very unlikely to be available on an external network, making this vulnerability primarily useful from an internal network perspective. As is the case with most command execution vulnerabilities, exploitation is very reliable and the target service is unlikely to crash even if the binary to run does not exist.
As noted in the Horizon3 analysis, the patch addresses the vulnerability by restricting what commands can be run to a static, predetermined set of values.
CVSS V3 Severity and Metrics
General Information
Vendors
- ivanti
Products
- endpoint manager
Metasploit Modules
References
