CVE-2019-12373
📋 TL;DR
This vulnerability in Ivanti LANDESK Management Suite allows remote attackers to access administrator passwords through improper access control and open directories. It affects organizations using the vulnerable version of the endpoint management software, potentially exposing administrative credentials.
💻 Affected Systems
- Ivanti LANDESK Management Suite
- Ivanti Endpoint Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrator credentials, leading to complete compromise of the management infrastructure, lateral movement across the network, and potential ransomware deployment.
Likely Case
Attackers steal administrator passwords, gain privileged access to the management console, and compromise managed endpoints.
If Mitigated
With proper network segmentation and access controls, impact is limited to the management server itself.
🎯 Exploit Status
Exploitation requires network access to the management interface but no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.0.1.168 Service Update 6 or later
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-for-LANDESK-Management-Suite
Restart Required: Yes
Instructions:
1. Download the latest service update from Ivanti support portal. 2. Backup current configuration. 3. Apply the update following Ivanti's installation guide. 4. Restart the LANDESK services.
🔧 Temporary Workarounds
Restrict Network Access
allLimit access to the LANDESK management interface to trusted IP addresses only
Configure firewall rules to restrict access to port 443/TCP (or your configured HTTPS port) to authorized management stations only
Disable Directory Listing
windowsConfigure IIS to prevent directory browsing on the LANDESK web directories
In IIS Manager, select the LANDESK site, open Directory Browsing feature, and set to Disabled
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the LANDESK server from untrusted networks
- Change all administrator passwords and implement multi-factor authentication where possible
🔍 How to Verify
Check if Vulnerable:
Check if the LANDESK web interface is accessible and if directory browsing is enabled on sensitive pathsCheck Version:
Check the version in the LANDESK console under Help > About, or examine the installed programs list in WindowsVerify Fix Applied:
Verify the installed version is 10.0.1.168 Service Update 6 or later and test that password files are no longer accessible📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to LANDESK web directories
- Failed authentication attempts followed by successful directory browsing
Network Indicators:
- External IP addresses accessing LANDESK web interface paths containing 'password' or 'admin'
SIEM Query:
source="LANDESK" AND (url="*password*" OR url="*admin*") AND response_code=200🔗 References
- https://www.gnzlabs.io/gnzlabs-blog/landesk-management-server-administrator-password-disclosure/
- https://www.gnzlabs.io/gnzlabs-blog/landesk-management-server-multiple-vulnerabilities/
- https://www.gnzlabs.io/gnzlabs-blog/landesk-management-server-administrator-password-disclosure/
- https://www.gnzlabs.io/gnzlabs-blog/landesk-management-server-multiple-vulnerabilities/
