Ivanti Landesk Management Suite 10.0.1.168 Remote Code Execution Vulnerability

Summary

Improper access control and open directories in Ivanti LANDESK Management Suite (LDMS, aka Endpoint Manager) 10.0.1.168 Service Update 5 may lead to remote disclosure of administrator passwords.

Credit:

The information has been provided by Ivanti

The original article can be found at: https://www.gnzlabs.io/gnzlabs-blog/landesk-management-server-administrator-password-disclosure/


Details

During an imaging task, the LANDesk provisioning subsystem creates a copy of each injected file in the globally readable network share \\<coreserver>\ldlogon\provisioning\config. This share is created during the LANDesk Management Core Server installation process, and the installer automatically sets the permissions such that “Everyone” can read from this directory.

Once the imaging task is finished, the file copies are usually removed. However, if an imaging task fails, the files are stored in the aforementioned network share in perpetuity.

If an unattend.xml file is injected during the provisioning task, an unsanitized version of that file is stored in the globally readable network share with inherited permissions. As such, it is possible for anyone with a domain user account (or access to a an account within a federated domain) to read the contents of the file stored in ldlogon\provisioning\config. They can then decode the base64 string stored within and retrieve the administrator account password.

While the “Everyone” permission can (and should) be removed from this directory, there is no way to completely lock down this directory. This is because the directory can also be viewed through a web service available at https://<coreserver>/ldlogon/provisioning/config. More information on this can be found here: LANDesk Management Server – Open Directories.

Vulnerable Systems:

  • Ivanti Landesk Management Suite 10.0.1.168

CVE Information:

CVE-2019-12373

Disclosure Timeline:
Publish Date:06/03/2019

Categories: News