-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2019-018 Product: Ivanti DSM Manufacturer: Ivanti Affected Version(s): 2018.1 Tested Version(s): 2018.1 Vulnerability Type: Incorrect Default Permissions (CWE-276) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2019-05-22 Solution Date: 2020-04-01 Public Disclosure: 2021-10-15 CVE Reference: None assigned Author of Advisory: Moritz Bechler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Ivanti DSM (formerly HEAT and Frontrange DSM) is an enterprise software deployment solution. The manufacturer describes the product as follows (see [1]): "IVANTI Desktop & Server Management (IVANTI DSM) is a multi-platform unified endpoint management solution that automatically packages and deploys software and operating systems, patches vulnerabilities, discovers software and hardware assets, and efficiently manages Windows OS migrations, virtual environments, Citrix server farms, and more. The DSM suite contains all the tools necessary to manage and secure endpoints from a unified, intuitive console." Due to inherited insecure file system permissions, the content of Ivanti DSM's software depot share can be modified by unprivileged users. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The default depot location C:\DSM created by the installer does not override the file system permissions inherited from C:\. By default, Windows installations include write permissions for all authenticated users. This allows local users and domain users to modify the contents of the share. This includes replacing executables that would be regularly invoked by administrators during deployment and management tasks. For example, dsmc.exe can be replaced which is the executable for the "DSM Console" on Management Node's Administrator Desktop. Apart from regular local users on the management node and domain accounts, if there is a user account configured for depot access, valid credentials can be extracted from any managed client system. The credentials for this account are stored accessible for everybody in obfuscated form on each managed client system in the NiCfg*.ncp configuration files. By knowing the algorithm for the used k4 password, password information stored in the k4 password format can be decoded without any further information. This security vulnerability is described in our SySS security advisory SYSS-2019-019 [2]. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): On a fresh DSM Ivanti installation, the DACL is as follows: C:\>icacls DSM DSM DSMSERVER\ivantiall:(OI)(CI)(M,DC) Everyone:(OI)(CI)(R) BUILTIN\Administrators:(I)(OI)(CI)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Users:(I)(OI)(CI)(RX) >> NT AUTHORITY\Authenticated Users:(I)(M) >> NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Verify that the DSM repository permissions are correct. Remove the inherited ACL entries from C:\DSM. Invanti DSM starting with version 2020.1 should set the correct permissions during installation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2019-04-26: Vulnerability discovered 2019-05-22: Vulnerability reported to manufacturer 2020-04-01: Patch released by manufacturer 2021-10-15: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Ivanti DSM https://www.ivanti.de/products/desktop-and-server-management [2] SySS Security Advisory SYSS-2019-019 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-019.txt [3] SySS Security Advisory SYSS-2019-018 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-018.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Bechler of SySS GmbH. E-Mail: moritz.bechler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc Key ID: 0x768EFE2BB3E53DDA Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEELI/xAZ13veZGXszCdo7+K7PlPdoFAmFj5FIACgkQdo7+K7Pl PdqaUwf/RD10qvLXJc8kOqFwxUJrnDzwW9nfkiA88tsJ65Rz0fyypmH8UNF0rlZ/ rXVb4uolKA5U5o3vyglpwIaJGbaZmBX0FxmMYqYuucEEWbhde8+sdBtQGloraCg7 4mKjQ8/RPpSJYBtZLhPbDok7tIWyHSzvnSn/noiQBCvXWT4VadfGsDEemKMeMkur fZsk97MEzBVDBba2TFfyqQge5Pjwsvi3cYq3s1LKuKsASwyFzbE5PNLL/+uIk8dD IfIdJx6qM3FU+HGrQt1GQOh9njp3pU+eN+2Xzh+QzesIB1q6F8UtJ0mYUuK/sS6h ARE9Fukjg487TKzhYLqU/dydP0waFg== =W6U/ -----END PGP SIGNATURE-----