<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Calibri Light";
panose-1:2 15 3 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
h4
{mso-style-priority:9;
mso-style-link:"Heading 4 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
font-weight:bold;}
h5
{mso-style-priority:9;
mso-style-link:"Heading 5 Char";
margin-top:2.0pt;
margin-right:0in;
margin-bottom:0in;
margin-left:0in;
page-break-after:avoid;
font-size:11.0pt;
font-family:"Calibri Light",sans-serif;
color:#2F5496;
font-weight:normal;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
code
{mso-style-priority:99;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
span.Heading4Char
{mso-style-name:"Heading 4 Char";
mso-style-priority:9;
mso-style-link:"Heading 4";
font-family:"Calibri",sans-serif;
font-weight:bold;}
span.Heading5Char
{mso-style-name:"Heading 5 Char";
mso-style-priority:9;
mso-style-link:"Heading 5";
font-family:"Calibri Light",sans-serif;
color:#2F5496;}
p.list-group-item, li.list-group-item, div.list-group-item
{mso-style-name:list-group-item;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.ui-provider
{mso-style-name:ui-provider;}
span.test-idfield-value
{mso-style-name:test-id__field-value;}
span.uioutputtext
{mso-style-name:uioutputtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:664478341;
mso-list-type:hybrid;
mso-list-template-ids:449995990 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1
{mso-list-id:774863904;
mso-list-template-ids:-1057850904;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.75in;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.25in;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.75in;
mso-level-number-position:left;
margin-left:1.75in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.25in;
mso-level-number-position:left;
margin-left:2.25in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.75in;
mso-level-number-position:left;
margin-left:2.75in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.25in;
mso-level-number-position:left;
margin-left:3.25in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.75in;
mso-level-number-position:left;
margin-left:3.75in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.25in;
mso-level-number-position:left;
margin-left:4.25in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.75in;
mso-level-number-position:left;
margin-left:4.75in;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2
{mso-list-id:879977933;
mso-list-type:hybrid;
mso-list-template-ids:-1586354610 794186876 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l2:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3
{mso-list-id:1496217853;
mso-list-type:hybrid;
mso-list-template-ids:1152963076 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l3:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l4
{mso-list-id:1906065871;
mso-list-template-ids:-1245946242;}
@list l4:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:40.5pt;
mso-level-number-position:left;
margin-left:40.5pt;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l4:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5
{mso-list-id:2128890751;
mso-list-type:hybrid;
mso-list-template-ids:1334592728 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l5:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l5:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l5:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l5:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l5:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l5:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l5:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l5:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l5:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><a name="_Hlk122600425">Good afternoon,<o:p></o:p></a></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><span style="mso-ligatures:standardcontextual"><o:p> </o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">The SOC Services team is reporting on the vulnerability:
<b><i>CVE-2021-44529 <span class="ui-provider">Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability</span></i></b>. Due to its high visibility and active exploitation, we are providing this in-depth information:<o:p></o:p></span></p>
<h4><span style="mso-bookmark:_Hlk122600425"><u><span style="font-size:11.0pt">History</span></u></span><span style="mso-bookmark:_Hlk122600425"><span style="font-size:11.0pt">:
</span></span><span style="mso-bookmark:_Hlk122600425"><span style="font-size:11.0pt;font-weight:normal">On December 02, 2021, Ivanti published a bulletin identifying a code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) before 4.6.0-512
allows an unauthenticated user to execute arbitrary code with limited permissions (nobody). CVE-2021-44529 was established as a CVE on December 8, 2021 and is currently assigned CVSSv3 rating of 9.8 (Critical). On March 25, 2024, CISA added the vulnerability
to their list of Known Exploited Vulnerabilities.</span></span><span style="mso-bookmark:_Hlk122600425"><span style="font-size:11.0pt;background:yellow;mso-highlight:yellow"><o:p></o:p></span></span></h4>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">The following products are affected:<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l2 level1 lfo1"><span style="mso-bookmark:_Hlk122600425">Versions prior to 4.6<o:p></o:p></span></li></ul>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><span style="background:yellow;mso-highlight:yellow"><o:p> </o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">Patch information to fix the vulnerability. The fixed version is:<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo2"><span style="mso-bookmark:_Hlk122600425">Version 4.6.0-512 or later<o:p></o:p></span></li></ul>
<p class="MsoListParagraph"><span style="mso-bookmark:_Hlk122600425"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">Patch information is available from Ivanti as published in their security Advisory:<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l2 level1 lfo1"><span style="mso-bookmark:_Hlk122600425"><span class="uioutputtext">Security Advisory for Ivanti Endpoint Manager - Cloud Service Appliance</span></span><span style="mso-bookmark:_Hlk122600425">–
</span><a href="https://forums.ivanti.com/s/article/SA-2021-12-02?language=en_US"><span style="mso-bookmark:_Hlk122600425">https://forums.ivanti.com/s/article/SA-2021-12-02?language=en_US</span><span style="mso-bookmark:_Hlk122600425"></span></a><span style="mso-bookmark:_Hlk122600425"><o:p></o:p></span></li></ul>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><span style="background:yellow;mso-highlight:yellow"><o:p> </o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><b><u>Intelligence</u></b>: As of March 25, 2024, CISA is aware that CVE-2021-44529 has been exploited in the wild.
<span style="background:yellow;mso-highlight:yellow"><o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><span style="background:yellow;mso-highlight:yellow"><o:p> </o:p></span></span></p>
<h5><span style="mso-bookmark:_Hlk122600425"><b><u><span style="color:windowtext">Workarounds:</span></u></b></span><span style="mso-bookmark:_Hlk122600425"><span style="color:windowtext"> </span></span><span style="mso-bookmark:_Hlk122600425"><span style="font-family:"Calibri",sans-serif;color:windowtext">If
you choose not to (or are not able to) install Patch 512, you may choose one of the following remediation paths which apply to 4.6 and lesser versions.</span></span><span style="mso-bookmark:_Hlk122600425"><span style="color:windowtext"><o:p></o:p></span></span></h5>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l5 level1 lfo3"><span style="mso-bookmark:_Hlk122600425"><b><u>Option A:</u></b></span><span style="mso-bookmark:_Hlk122600425">
<span class="test-idfield-value">To mitigate the issue, make a backup of the file /opt/landesk/broker/webroot/lib/csrf-magic.php and manually edit as follows: Remove the ten lines near the end of the file that start with “// Obscure Tokens” but leave in the
last 6 lines of code which follow which is the section that starts with “// Load user configuration”.</span><span class="test-idfield-value"><o:p></o:p></span></span></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5 level1 lfo3">
<span style="mso-bookmark:_Hlk122600425"><span class="test-idfield-value"><b><u>Option B:</u></b></span></span><span style="mso-bookmark:_Hlk122600425"><span class="test-idfield-value">
</span></span><span style="mso-bookmark:_Hlk122600425">Run the following script via ssh which will do the backup and make the edits referenced in Option A:<o:p></o:p></span></li></ul>
<ul type="disc">
<li class="list-group-item" style="margin-left:.25in;mso-list:l1 level1 lfo4"><span style="mso-bookmark:_Hlk122600425"><code><span style="font-size:10.0pt">cd /opt/landesk/broker/webroot/lib</span></code></span><span style="mso-bookmark:_Hlk122600425"><o:p></o:p></span></li><li class="list-group-item" style="margin-left:.25in;mso-list:l1 level1 lfo4"><span style="mso-bookmark:_Hlk122600425"><code><span style="font-size:10.0pt">cp csrf-magic.php csrf-magic.php.bak</span></code></span><span style="mso-bookmark:_Hlk122600425"><o:p></o:p></span></li><li class="list-group-item" style="margin-left:.25in;mso-list:l1 level1 lfo4"><span style="mso-bookmark:_Hlk122600425"><code><span style="font-size:10.0pt">sed -i '/Obscure Tokens/{N;N;N;N;N;N;N;N;N;d}' csrf-magic.php</span></code></span><span style="mso-bookmark:_Hlk122600425"><o:p></o:p></span></li></ul>
<p><span style="mso-bookmark:_Hlk122600425">Run the following script via ssh which will do the backup and make the edits referenced in Option A:<o:p></o:p></span></p>
<ul type="disc">
<li class="list-group-item" style="mso-list:l5 level1 lfo3"><span style="mso-bookmark:_Hlk122600425"><code><span style="font-size:10.0pt">cd /opt/landesk/broker/webroot/lib</span></code></span><span style="mso-bookmark:_Hlk122600425"><o:p></o:p></span></li><li class="list-group-item" style="mso-list:l5 level1 lfo3"><span style="mso-bookmark:_Hlk122600425"><code><span style="font-size:10.0pt">cp csrf-magic.php csrf-magic.php.bak</span></code></span><span style="mso-bookmark:_Hlk122600425"><o:p></o:p></span></li><li class="list-group-item" style="mso-list:l5 level1 lfo3"><span style="mso-bookmark:_Hlk122600425"><code><span style="font-size:10.0pt">sed -i '/Obscure Tokens/{N;N;N;N;N;N;N;N;N;d}' csrf-magic.php</span></code></span><span style="mso-bookmark:_Hlk122600425"><o:p></o:p></span></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5 level1 lfo3">
<span style="mso-bookmark:_Hlk122600425">Note that neither a reboot nor a service restart is needed for this change to be effective. After saving the file, it is effective immediately on the CSA.<o:p></o:p></span></li></ul>
<ul type="disc">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:4.5pt;mso-list:l4 level1 lfo5">
<span style="mso-bookmark:_Hlk122600425"><span class="test-idfield-value">Additionally, if the “client” endpoint is not used, it may also be disabled. For reference, the client endpoint provides users the ability to download and run the remote assistance client.
Disabling the client endpoint would, of course, disable this functionality in the product so this is not recommended unless you know it isn’t needed.
</span></span><span style="mso-bookmark:_Hlk122600425">The following script disables the “client” endpoint and reboots the CSA. The reboot is required to make the change effective:<o:p></o:p></span></li><ul type="circle">
<li class="list-group-item" style="mso-list:l4 level2 lfo5"><span style="mso-bookmark:_Hlk122600425"><code><span style="font-size:10.0pt">cd /opt/landesk/broker/webroot</span></code></span><span style="mso-bookmark:_Hlk122600425"><o:p></o:p></span></li><li class="list-group-item" style="mso-list:l4 level2 lfo5"><span style="mso-bookmark:_Hlk122600425"><code><span style="font-size:10.0pt">mv client.vroot client.vrootOFF</span></code></span><span style="mso-bookmark:_Hlk122600425"><o:p></o:p></span></li><li class="list-group-item" style="mso-list:l4 level2 lfo5"><span style="mso-bookmark:_Hlk122600425"><code><span style="font-size:10.0pt">reboot</span></code></span><span style="mso-bookmark:_Hlk122600425"><o:p></o:p></span></li></ul>
</ul>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><b><u>How it works</u></b>:
<span class="ui-provider">Information regarding the exploitation of the vulnerability has not been made public at this time. However, a Proof-Of-Concept can be found at the following link:
</span></span><a href="https://github.com/jkana/CVE-2021-44529"><span style="mso-bookmark:_Hlk122600425">https://github.com/jkana/CVE-2021-44529</span><span style="mso-bookmark:_Hlk122600425"></span></a><span style="mso-bookmark:_Hlk122600425"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><span style="background:yellow;mso-highlight:yellow"><o:p> </o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><b><u>Post-Exploit</u></b>: Upon successful exploitation of the vulnerabilities, remote attackers can execute arbitrary commands on the server, and compromise company and user data. No known indicators
of compromise have been publicly shared at this time.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="mso-bookmark:_Hlk122600425">As of March 25, 2024 no plugins have been provided by Tenable and no plugins are in the Pipeline.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><b><u>Recommended Actions</u></b>:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"> <o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="mso-list:l3 level1 lfo6"><span style="mso-bookmark:_Hlk122600425">Review logs for unexpected or anomalous activity.<o:p></o:p></span></li><li class="MsoNormal" style="mso-list:l3 level1 lfo6"><span style="mso-bookmark:_Hlk122600425">Verify host has not been compromised before applying patches.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level1 lfo6"><span style="mso-bookmark:_Hlk122600425">Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.<o:p></o:p></span></li><li class="MsoNormal" style="mso-list:l3 level1 lfo6"><span style="mso-bookmark:_Hlk122600425">Apply the Principle of Least Privilege to all systems and services.</span><o:p></o:p></li><li class="MsoNormal" style="mso-list:l3 level1 lfo6">Change default credentials and default IP of the device.<o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="702" style="width:526.5pt;border-collapse:collapse">
<tbody>
<tr style="height:63.0pt">
<td width="118" valign="top" style="width:88.35pt;padding:0in 4.65pt 0in 4.65pt;height:63.0pt">
<p class="MsoNormal" style="line-height:105%"><span style="color:#1F497D"><img border="0" width="121" height="87" style="width:1.2604in;height:.9062in" id="Picture_x0020_4" src="cid:image001.png@01DA7EB1.42B46240"></span><span style="color:#1F497D"><o:p></o:p></span></p>
</td>
<td width="493" valign="top" style="width:369.65pt;padding:0in 4.65pt 0in 4.65pt;height:63.0pt">
<p class="MsoNormal" style="line-height:105%"><b>Cyber Security Services<o:p></o:p></b></p>
<p class="MsoNormal" style="line-height:105%">State of Oregon Cyber Security Services<o:p></o:p></p>
<p class="MsoNormal" style="line-height:105%">Enterprise Information Services | SOC<o:p></o:p></p>
<p class="MsoNormal" style="line-height:105%">Cyber Security Services (CSS)<o:p></o:p></p>
<p class="MsoNormal" style="line-height:105%">SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378<span style="color:#1F497D"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="611" colspan="2" valign="top" style="width:458.05pt;padding:0in 4.65pt 0in 4.65pt">
<p class="MsoNormal" style="line-height:105%"><i><span style="color:#2E74B5">“Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians.”<o:p></o:p></span></i></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span style="mso-ligatures:standardcontextual"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>