[CDP-development] TLP:GREEN (Vulnerability Alert Notification) - CVE-2021-44529: Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Mon Mar 25 12:57:29 PDT 2024 

Good afternoon,

The SOC Services team is reporting on the vulnerability: CVE-2021-44529 Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability.  Due to its high visibility and active exploitation, we are providing this in-depth information:
History: On December 02, 2021, Ivanti published a bulletin identifying a code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) before 4.6.0-512 allows an unauthenticated user to execute arbitrary code with limited permissions (nobody).  CVE-2021-44529 was established as a CVE on December 8, 2021 and is currently assigned CVSSv3 rating of 9.8 (Critical).  On March 25, 2024, CISA added the vulnerability to their list of Known Exploited Vulnerabilities.
The following products are affected:

  *   Versions prior to 4.6

Patch information to fix the vulnerability.  The fixed version is:

  *   Version 4.6.0-512 or later


Patch information is available from Ivanti as published in their security Advisory:

  *   Security Advisory for Ivanti Endpoint Manager - Cloud Service Appliance- https://forums.ivanti.com/s/article/SA-2021-12-02?language=en_US

Intelligence: As of March 25, 2024, CISA is aware that CVE-2021-44529 has been exploited in the wild.

Workarounds: If you choose not to (or are not able to) install Patch 512, you may choose one of the following remediation paths which apply to 4.6 and lesser versions.

  *   Option A: To mitigate the issue, make a backup of the file /opt/landesk/broker/webroot/lib/csrf-magic.php and manually edit as follows: Remove the ten lines near the end of the file that start with "// Obscure Tokens" but leave in the last 6 lines of code which follow which is the section that starts with "// Load user configuration".
  *   Option B: Run the following script via ssh which will do the backup and make the edits referenced in Option A:

  *   cd /opt/landesk/broker/webroot/lib
  *   cp csrf-magic.php csrf-magic.php.bak
  *   sed -i '/Obscure Tokens/{N;N;N;N;N;N;N;N;N;d}' csrf-magic.php

Run the following script via ssh which will do the backup and make the edits referenced in Option A:

  *   cd /opt/landesk/broker/webroot/lib
  *   cp csrf-magic.php csrf-magic.php.bak
  *   sed -i '/Obscure Tokens/{N;N;N;N;N;N;N;N;N;d}' csrf-magic.php
  *   Note that neither a reboot nor a service restart is needed for this change to be effective. After saving the file, it is effective immediately on the CSA.

  *   Additionally, if the "client" endpoint is not used, it may also be disabled. For reference, the client endpoint provides users the ability to download and run the remote assistance client. Disabling the client endpoint would, of course, disable this functionality in the product so this is not recommended unless you know it isn't needed. The following script disables the "client" endpoint and reboots the CSA. The reboot is required to make the change effective:
     *   cd /opt/landesk/broker/webroot
     *   mv client.vroot client.vrootOFF
     *   reboot
How it works: Information regarding the exploitation of the vulnerability has not been made public at this time. However, a Proof-Of-Concept can be found at the following link: https://github.com/jkana/CVE-2021-44529

Post-Exploit: Upon successful exploitation of the vulnerabilities, remote attackers can execute arbitrary commands on the server, and compromise company and user data. No known indicators of compromise have been publicly shared at this time.

As of March 25, 2024 no plugins have been provided by Tenable and no plugins are in the Pipeline.
Recommended Actions:


  *   Review logs for unexpected or anomalous activity.
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Apply the Principle of Least Privilege to all systems and services.
  *   Change default credentials and default IP of the device.


[cid:image001.png at 01DA7EB1.42B46240]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240325/1173973c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240325/1173973c/attachment-0001.png>

More information about the CDP-development mailing list