Embedded malicious code (backdoor) in Endpoint Manager - CVE-2021-44529
Published: February 19, 2024 / Updated: August 16, 2024
Vulnerability identifier: #VU86573
CSH Severity: Critical
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red
CVE-ID: CVE-2021-44529
CWE-ID: CWE-506
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vendor: Ivanti
Affected software:
Endpoint Manager
Endpoint Manager
Detailed vulnerability description
The vulnerability allows a remote attacker to gain unauthorized access to the application.
The vulnerability exists due to presence of embedded malicious functionality in the application code (aka backdoor) within the "/opt/landesk/broker/webroot/lib/csrf-magic.php" file. A remote non-authenticated attacker can set specially crafted cookies and gain unauthorized access to the application.
Note, the vulnerability patched in 2021 by Ivanti is considered a backdoor.
How to mitigate CVE-2021-44529
Install updates from vendor's website.
Sources
- https://forums.ivanti.com/s/article/SA-2021-12-02
- http://packetstormsecurity.com/files/166383/Ivanti-Endpoint-Manager-CSA-4.5-4.6-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/170590/Ivanti-Cloud-Services-Appliance-CSA-Command-Injection.html
- https://www.labs.greynoise.io/grimoire/2024-02-what-is-this-old-ivanti-exploit/index.html
- https://attackerkb.com/topics/XTKrwlZd7p/cve-2021-44529