From the end of 2019 on, we reported two critical vulnerabilities in the Ivanti DSM Suite to the vendor. The following CVE IDs were assigned to the issues (but note that they have a status of RESERVED, i.e. titles and descriptions may change in the future):

  • CVE-2020-12441: Denial-of-Service (DoS) in Ivanti Service Manager HEAT Remote Control 7.4
  • CVE-2020-13793: Unsafe storage of AD credentials in Ivanti DSM netinst 5.1

The vulnerabilities have meanwhile been fixed and an updated software version can be downloaded here.

The vulnerabilities have been found in the course of an extensive research project, in which we analyze the security of multiple end-system management solutions. Similar vulnerabilities have been found in other solutions and are currently in the responsible disclosure process. The final outcome of the research project will be published as a conference talk and/or whitepaper as soon as the project including all disclosure processes is finished.

We will provide a short description here such that you can understand the impact of the vulnerabilities better:

CVE-2020-12441

CVE-2020-12441 is a buffer overflow in the protocol parser of the ‘HEATRemoteService’ agent, which can be triggered over the network (default port: 5900). The overflow causes a Denial-Of-Service and it may be possible to extended it to gain Remote Code Execution on the system.

The following products have been tested as vulnerable so far:

Product: HEATRemoteServer.exe
SW Version: 7.4 <v0>

CVE-2020-13793

The Ivanti DSM netinst program stores encrypted passwords of service accounts in configuration files on end user systems. At least one of the available encryption methods uses a static, hard-coded key that can be extracted from the DSM Client Agent executables. Both, the configuration file and the respective DLL libraries which contain the hard-coded key are readable by unprivileged users. The service account passwords can be decrypted with the static key and likely have elevated privileges on end user and server systems in the respective environment.

The following products have been tested as vulnerable so far:

Product: Ivanti DSM netinst
SW Version: 5.1

clou & mantz

—————————————————————————

This work has been conducted on behalf of the ERNW Research GmbH.

Disclosure Timeline – CVE-2020-13793

  • 30.10.2019: Vulnerability reported to vendor by e-mail and disclosure deadline set to 20.01.2020.
  • 30.10.2019: Vulnerability acknowledged by vendor.
  • 15.01.2020: Telephone conference with development team.
  • 27.01.2020: E-mail sent to vendor to ask if we can disclose the issue as the disclosure deadline has been reached.
  • 27.01.2020: E-mail by vendor to ask if the disclosure deadline can be postponed till mid of March.
  • 28.01.2020: E-mail to vendor to accept postponed disclosure deadline.
  • 04.03.2020: As the disclosure deadline approached, e-mail sent to vendor to get an update on the issue.
  • 05.03.2020: Vendor notified that new version should be released end of March. Therefore, we extended disclosure deadline to end of March.
  • 31.03.2020: E-mail to vendor to get status update for the issue.
  • 31.03.2020: Vendor notified us that the new version with the fix was released on 30.03.2020.
  • 24.06.2020: Disclosure of vulnerability on this blog.

Disclosure Timeline – CVE-2020-13793

  • 26.02.2020: Vulnerability reported to vendor by e-mail and disclosure deadline set to 26.05.2020.
  • 26.02.2020: Vulnerability acknowledged by vendor.
  • 06.05.2020: As the disclosure deadline approached, e-mail sent to vendor to get an update on the issue.
  • 13.05.2020: E-mail sent to vendor to get an update on the issue.
  • 13.05.2020: Vendor responded that vulnerability has been fixed.
  • 24.06.2020: Disclosure of vulnerability on this blog.