install rpm url [patch_url] command.The RPM_12.x.0.x patch is applicable to EPMM software versions 12.5.0.x, 12.6.0.x, and 12.7.0.x. It is also compatible with the older 12.3.0.x and 12.4.0.x versions. Meanwhile the RPM_12.x.1.x patch is applicable to versions 12.5.1.0 and 12.6.1.0.”The RPM script does not survive a version upgrade,” the company warns. “If after applying the RPM script to your appliance, you upgrade to a new version you will need to reinstall the RPM. The permanent fix for this vulnerability will be included in the next product release: 12.8.0.0.”While the Ivanti Sentry gateway product that secures traffic between mobile devices and back-end enterprise systems is not directly affected by these vulnerabilities, EPMM appliances do have command execution permission on Sentry gateways. As such, if an EPMM deployment has been compromised, the attackers might have compromised Ivanti Sentry as well.Researchers from penetration testing firm WatchTowr reverse engineered the patches and were able to figure out where the vulnerabilities are located and how to exploit them. A detailed write-up is available on the company’s blog.
Exploit detection and remediation: Ivanti published a separate document with guidance on how to scan EPMM appliances for potential compromise through these vulnerabilities. First off, the Apache Access Log found at /var/log/httpd/https-access_log could have evidence of attempted or successful execution of these vulnerabilities.The company advises triaging logs with the ^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404 regular expression and looking for HTTP 404 error response codes as well as GET requests with parameters that have bash commands.”The most common is the introduction of, or modification of, malicious files to introduce web shell capabilities,” the company said. “Ivanti has commonly seen these changes target HTTP error pages, such as 401.jsp. Any requests to these pages with POST methods or with parameters should be considered highly suspicious. Analysts who are performing forensic inspection of the disk should also review for unexpected WAR or JAR files being introduced to the system.”One thing to note is that attackers regularly delete logs to hide their tracks and that on systems with high utilization the logs might be rotated multiple times a day. That’s why customers are strongly advised to use the Data Export features to forward logs from the EPMM appliance to their SIEM system or other log aggregators.For any appliance that you suspect may be impacted, Ivanti recommends reviewing:
EPMM administrators for new or recently changed administratorsAuthentication configuration, including SSO and LDAP settingsNew pushed applications for mobile devicesConfiguration changes to applications you push to devices, including in-house applicationsNew or recently modified policiesNetwork configuration changes, including any network configuration or VPN configuration you push to mobile devicesAfter restoring a compromised EPMM appliance from clean backups, customers should reset the password of any local EPMM accounts, reset the password of any LDAP and/or KDC service accounts used to perform lookups, revoke and replace the public certificate used on the EPMM deployment and reset the password for any other internal or external service accounts configured on the EPMM solution.Because EPMM has command execution on Sentry and Sentry is a product that routes traffic from mobile devices to internal network systems, the systems that Sentry can access should also be reviewed for signs of compromise.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4125196/ivanti-patches-two-actively-exploited-critical-vulnerabilities-in-epmm.html
