#VU86573 Embedded malicious code (backdoor) in Endpoint Manager - CVE-2021-44529

Cybersecurity Help s.r.o.

Published: 2024-02-19 | Updated: 2024-08-16

Vulnerability identifier: #VU86573

Vulnerability risk: Critical

CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]

CVE-ID: CVE-2021-44529

CWE-ID: CWE-506

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Endpoint Manager
Server applications / IDS/IPS systems, Firewalls and proxy servers

Vendor: Ivanti

Description

The vulnerability allows a remote attacker to gain unauthorized access to the application.

The vulnerability exists due to presence of embedded malicious functionality in the application code (aka backdoor) within the "/opt/landesk/broker/webroot/lib/csrf-magic.php" file. A remote non-authenticated attacker can set specially crafted cookies and gain unauthorized access to the application.

Note, the vulnerability patched in 2021 by Ivanti is considered a backdoor.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Endpoint Manager: before 4.6

External links
https://forums.ivanti.com/s/article/SA-2021-12-02
https://packetstormsecurity.com/files/166383/Ivanti-Endpoint-Manager-CSA-4.5-4.6-Remote-Code-Execution.html
https://packetstormsecurity.com/files/170590/Ivanti-Cloud-Services-Appliance-CSA-Command-Injection.html
https://www.labs.greynoise.io/grimoire/2024-02-what-is-this-old-ivanti-exploit/index.html
https://attackerkb.com/topics/XTKrwlZd7p/cve-2021-44529

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

Latest bulletins with this vulnerability

Code injection in Ivanti Endpoint Manager