Teacher
Professional
- Messages
- 2,669
- Reaction score
- 819
- Points
- 113
Undetected since 2014, the vulnerability allows you to hack devices through cookies.
The Ivanti vulnerability, which was disclosed 2 years ago, still causes concern among specialists due to its mysterious origin.
This is a code injection vulnerability CVE-2021-44529 (CVSS score: 9.8) in the Ivanti EPM Cloud Services Appliance (CSA), which allows an unauthorized attacker to execute arbitrary code with limited permissions (the "nobody" level of rights). After the vulnerability was discovered in 2021, Ivanti issued security guidelines stating that the vulnerable code is located in "/opt/landesk/broker/webroot/lib/csrf-magic.php", and the target of the attack is — "/client/index.php".
Interest in this vulnerability increased after a bug hunter and Viettel Cyber Security employee, Tuan Anh Nguyen, in 2020 mentioned the presence of a backdoor in the csrf-magic library, which, according to him, is no longer supported. A search for additional information about the backdoor in csrf-magic did not bring results, but using the Way Back Machine archive allowed us to detect a compromised file, the last change to which was made back in February 2014. This means that the vulnerability may have remained undetected for many years.
Further analysis of the code revealed a backdoor mechanism that was hidden at the end of the file in the obfuscated code. The code deobfuscation process revealed that certain conditions related to the user's browser cookies must be met to activate the backdoor.
It is noteworthy that the code dynamically generates a function that allows you to achieve remote code execution based on cookies (Cookie-based RCE), despite the fact that the create_function() function is deprecated in PHP 8 and higher. The vulnerability is exploited through specially generated cookie headers containing base64-encoded PHP code. To perform the attack, the number of cookie pairs must be greater than 3, and the value of the first pair must be "ab". If these conditions are met, the cookie code corresponding to the counter value minus three is decoded and executed.
It remains an open question about the reasons for adding such code to the software: whether this is a leftover test or a hidden method of accessing hardware. A search on Shodan shows that more than 2,000 such devices are still connected to the Internet, and about 15% of them are running on the affected version.
To further increase privileges on the device, you can take advantage of the vulnerability CVE-2021-4034 (CVSS score: 7.8) in the CentOS operating system underlying Ivanti CSA. Exploiting the error allows you to get root rights.
According to experts, detecting and preventing the exploitation of such vulnerabilities requires a comprehensive approach, including regular scanning of systems for vulnerabilities, as well as the use of modern security and monitoring tools. The case of CVE-2021-44529 is a clear example of how old vulnerabilities can go unnoticed for a long time, creating potential security risks for information systems.
The Ivanti vulnerability, which was disclosed 2 years ago, still causes concern among specialists due to its mysterious origin.
This is a code injection vulnerability CVE-2021-44529 (CVSS score: 9.8) in the Ivanti EPM Cloud Services Appliance (CSA), which allows an unauthorized attacker to execute arbitrary code with limited permissions (the "nobody" level of rights). After the vulnerability was discovered in 2021, Ivanti issued security guidelines stating that the vulnerable code is located in "/opt/landesk/broker/webroot/lib/csrf-magic.php", and the target of the attack is — "/client/index.php".
Interest in this vulnerability increased after a bug hunter and Viettel Cyber Security employee, Tuan Anh Nguyen, in 2020 mentioned the presence of a backdoor in the csrf-magic library, which, according to him, is no longer supported. A search for additional information about the backdoor in csrf-magic did not bring results, but using the Way Back Machine archive allowed us to detect a compromised file, the last change to which was made back in February 2014. This means that the vulnerability may have remained undetected for many years.
Further analysis of the code revealed a backdoor mechanism that was hidden at the end of the file in the obfuscated code. The code deobfuscation process revealed that certain conditions related to the user's browser cookies must be met to activate the backdoor.
It is noteworthy that the code dynamically generates a function that allows you to achieve remote code execution based on cookies (Cookie-based RCE), despite the fact that the create_function() function is deprecated in PHP 8 and higher. The vulnerability is exploited through specially generated cookie headers containing base64-encoded PHP code. To perform the attack, the number of cookie pairs must be greater than 3, and the value of the first pair must be "ab". If these conditions are met, the cookie code corresponding to the counter value minus three is decoded and executed.
It remains an open question about the reasons for adding such code to the software: whether this is a leftover test or a hidden method of accessing hardware. A search on Shodan shows that more than 2,000 such devices are still connected to the Internet, and about 15% of them are running on the affected version.
To further increase privileges on the device, you can take advantage of the vulnerability CVE-2021-4034 (CVSS score: 7.8) in the CentOS operating system underlying Ivanti CSA. Exploiting the error allows you to get root rights.
According to experts, detecting and preventing the exploitation of such vulnerabilities requires a comprehensive approach, including regular scanning of systems for vulnerabilities, as well as the use of modern security and monitoring tools. The case of CVE-2021-44529 is a clear example of how old vulnerabilities can go unnoticed for a long time, creating potential security risks for information systems.
