Ivanti's Endpoint Manager Cloud Service Hit by Code Injection Backdoor
Security researchers at Bitsight have discovered a backdoor in Ivanti's Endpoint Manager Cloud Service Appliance. The vulnerability, identified as CVE-2021-44529, allows for code injection through the 'csrf-magic' open-source component. Ivanti has since issued a fix and a workaround.
Bitsight's team analyzed the behavior of the vulnerability to detect it, as the software's version could not be fingerprinted. They found that a backdoor exists, which executes a payload if present in the first cookie with the value 'ab'. The result is then appended to an XML-like custom tag in the response.
A simple GET request with the specified cookie structure can detect the backdoor without executing any payload or causing intrusive behavior. Ivanti issued patch 512 to fix the issue and provided a workaround involving manual editing of the csrf-magic.php file.
After the vulnerability was added to the CISA Known Exploited Vulnerabilities list, Bitsight's scans showed a decrease in internet-facing Ivanti Cloud Appliances instances. However, as of their latest scan, 41 instances remain vulnerable out of 1748 total Ivanti Cloud Appliances.
Bitsight's research highlights the importance of prompt vulnerability patching and the potential risks of using open-source components without proper scrutiny. Ivanti's response to the issue demonstrates their commitment to addressing security concerns. Organizations using Ivanti's Endpoint Manager are urged to apply the available patch or workaround to protect their systems.
