Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Software

Ivanti Warns of Critical Vulnerability In Its Popular Line of Endpoint Protection Software (arstechnica.com) 19

Dan Goodin reports via Ars Technica: Software maker Ivanti is urging users of its end-point security product to patch a critical vulnerability that makes it possible for unauthenticated attackers to execute malicious code inside affected networks. The vulnerability, in a class known as a SQL injection, resides in all supported versions of the Ivanti Endpoint Manager. Also known as the Ivanti EPM, the software runs on a variety of platforms, including Windows, macOS, Linux, Chrome OS, and Internet of Things devices such as routers. SQL injection vulnerabilities stem from faulty code that interprets user input as database commands or, in more technical terms, from concatenating data with SQL code without quoting the data in accordance with the SQL syntax. CVE-2023-39336, as the Ivanti vulnerability is tracked, carries a severity rating of 9.6 out of a possible 10.

"If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication," Ivanti officials wrote Friday in a post announcing the patch availability. "This can then allow the attacker control over machines running the EPM agent. When the core server is configured to use SQL express, this might lead to RCE on the core server." RCE is short for remote code execution, or the ability for off-premises attackers to run code of their choice. Currently, there's no known evidence the vulnerability is under active exploitation. Ivanti has also published a disclosure that is restricted only to registered users. A copy obtained by Ars said Ivanti learned of the vulnerability in October. [...]

Putting devices running Ivanti EDM behind a firewall is a best practice and will go a long way to mitigating the severity of CVE-2023-39336, but it would likely do nothing to prevent an attacker who has gained limited access to an employee workstation from exploiting the critical vulnerability. It's unclear if the vulnerability will come under active exploitation, but the best course of action is for all Ivanti EDM users to install the patch as soon as possible.

This discussion has been archived. No new comments can be posted.

Ivanti Warns of Critical Vulnerability In Its Popular Line of Endpoint Protection Software

Comments Filter:
  • by Njovich ( 553857 ) on Friday January 05, 2024 @09:09PM (#64135511)

    Nice job protecting those endpoints. Like with Solarwinds these solutions seem to be better at providing an entrypoint for attackers rather than stopping the attacks from happening. Now if this was a sophisticated attack it would be one thing, but SQL injection in a security product in this day and age?

    • That darn Little Bobby Tables is up to no good again!

    • by gweihir ( 88907 )

      Indeed. For things to go this badly wrong on an absolute beginner's mistake, there will not have been any actual security experts involved. Not only that, the coders that made this crap and the testers that let it pass must have been seriously incompetent. Of course that all falls back to greedy asshole management, that tries to do things cheaper than possible. And these people should face personal punishment for that.

  • by Art Challenor ( 2621733 ) on Friday January 05, 2024 @11:51PM (#64135541)
    Assuming that Bobby was just starting school on 2007/10/10 he'd now be just about graduating college...
  • this is from a company specializing in security software solutions:

    from concatenating data with SQL code without quoting the data in accordance with the SQL syntax

    and we're afraid of ai. pffft ...

    • From now on, you should basically assume that all Ivanti products are insecure, because they almost certainly are.
  • We have seen a lot of commercial "security" products with critical vulnerabilities up to and including full supply chain compromise in the last few years. In many (most?) cases, the attacks were not very sophisticated. My take is that quite a few enterprises that do not have what it takes at all have entered the market and that established vendors have moved to "cheaper than possible" engineering to save cost. Obviously, that stupidity ens up threatening their existence. There are also a few large old ven

    • SQL injection is a good example of a bug that should be negligence. There are plenty of ways to avoid them. They should never happen.
      • by gweihir ( 88907 )

        Indeed. I would go one step further and say that at the current state-of-the-art it is always negligence, but unless the accused party can prove different, it is gross negligence because you have to willfully ignore basic rules of the art. Any at least somewhat credible software security catalog list SQL injection as important to prevent, often in the form of more general injection with SQL injection as example. Any halfway competent attacker looks for injection attack vectors.

        It is really time to end this

    • by Slayer ( 6656 )

      Yes, current "security products" sometimes bring in weaknesses, which even a standard home router (at least one without remote access) would have handled better. Yes, this is a massive shame, but I see no immediate change in this industry, in fact I do not even see any pressure for change. For Solarwinds, Microsoft and Kaseya everything is business as usual, as if nothing ever happened. However, and this is where these lame "security product" vendors still shine compared to your average home router: they se

  • We've known how to stop SQL injections for over 20 years now. Ivanti is still having problems with them, which means they are utterly incompetent.
  • Agile! (Score:4, Interesting)

    by TechyImmigrant ( 175943 ) on Saturday January 06, 2024 @12:16AM (#64135589) Homepage Journal

    By any chance, was an agile methodology used in the developed of this security software?

    I've have seen first hand just how much agile poisons secure development by interrupting the deep analysis that is needed for the development of secure things. Corps love them some agile. I am fortunate to be in a position to prevent its use where I work.

    • by jmccue ( 834797 )
      No kidding, and there are plenty of examples how it has ruined User Facing Applications. One example is Firefox releases every other day it seems. I still hear complaints about how much better Firefox was 20 years ago, which I believe it was.
    • by Himmy32 ( 650060 )
      You assume that's changed much since the days it was called LANDesk. It hasn't.
  • I mean what other reasons does one have to install "Endpoint Protection Software"? It would be highly illogical to expect "more software" to solve the problem of to many security critical bugs. After all that problem is already caused by to much software.

    It's like trying to drain your cellar by putting in more water, or like trying to get slim by eating a lot more food.

  • Inexcusable vulnerabilities involving naive parsing and injection attacks have been a common feature of the security industry for decades.

If you have a procedure with 10 parameters, you probably missed some.

Working...