PoC exploit for Ivanti EPMM privilege escalation flaw released (CVE 2024-22026)
Technical details about and a proof-of-concept (PoC) exploit for CVE-2024-22026, a privilege escalation bug affecting Ivanti EPMM, has been released by the vulnerability’s reporter.
About CVE-2024-22026
Ivanti Endpoint Manager Mobile (formerly MobileIron Core) is used by enterprises to securely manage the lifecycle of mobile devices and mobile applications.
CVE-2024-22026 was discovered by Bryan Smith, a security researcher with Redline Cyber Security, and affects Ivanti EPMM v12.0 and earlier.
“CVE-2024-22026 stems from inadequate validation in the EPMM CLI’s tool installation command,” Smith explained.
“The EPMM CLI console allows the ability to ‘Install tools or RPMs’ via the [install] command. Further review shows that the [install rpm url] can fetch an RPM package from a user-provided URL, without verifying their authenticity.”
CVE-2024-22026 is not a remotely exploitable vulnerability. An attacker must first gain access to EPMM’s command line interface, either by exploiting a different vulnerability or by being able to physically interact with a vulnerable installation.
Once they have that kind of access and are looking to elevate their privileges, they can do so by downloading and leveraging a previously crafted RPM package that contains a script that creates a new user account with root access.
“It is important to note that the useradd command must specify the shell with [useradd -s /bin/sh]; otherwise, the new user account will be created but remain in the restricted CLI environment,” Smith noted.
“Attempting to SSH to the appliance using the newly created account confirms that the backdoor account was created and the user has full root access to the appliance’s underlying operating system and code, effectively bypassing the intended restricted shell environment located at [/mobileiron.com/programs/com.mobileiron.core.base/bin/clish].”
Successful exploitation can lead to complete system compromise, unauthorized access to sensitive data, and offers potential for further network intrusion, he concluded.
What to do?
CVE-2024-22026, along with two SQL injection flaws (CVE-2023-46806, CVE-2023-46807), have been fixed in Ivanti EPMM v12.1.0.0.
CVE-2024-22026 has also been fixed in versions 12.0.0.0/1 and 11.12.0.1, and a fix for the other two flaws will be available for those versions via a patch in the coming weeks, Ivanti said. “We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure.”
To mitigate the risk of exploitation, admins are advised to upgrade their installation(s) to the latest available version as soon as possible.