New vulnerabilities reported in Ivanti Endpoint Manager
Take action: Although the score of the vulnerabilities is high, this is not a panic mode patch. Plan to update your endpoint manager in the regular patching cycle. Just don't ignore the issue.
Learn More
Ivanti has identified multiple vulnerabilities within the Ivanti Endpoint Manager software which expose potential risks for the IEM software various operating systems such as Linux, MacOS X, and Windows. The vulnerabilities in Ivanti Endpoint Manager pose a risk of information disclosure and potential server side request forgery attacks.
- The first vulnerability, tracked as CVE-2023-38343 (CVSS3 score 9.8) is an XXE (XML external entity injection) vulnerability in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side Request Forgery.
- The second vulnerability, tracked as CVE-2023-38344 (CVSS3 score 6.5) is a file disclosure vulnerability in the GetFileContents SOAP action exposed via /landesk/managementsuite/core/core.secure/OsdScript.asmx. The application does not sufficiently restrict user-supplied paths, allowing for an authenticated attacker to read arbitrary files from a remote system, including the private key used to authenticate to agents for remote access. The vulnerability exists in Ivanti Endpoint Manager before 2022 SU4.
Users and administrators of Ivanti are recommended to update their product to the latest version of the product.
