CVE-2023-28129
📋 TL;DR
This vulnerability allows a local low-privileged user account to execute arbitrary operating system commands with the privileges of the DSM software installation user. It affects Ivanti DSM 2022.2 SU2 and all prior versions, potentially enabling privilege escalation on affected systems.
💻 Affected Systems
- Ivanti DSM (Device and Service Management)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local low-privileged access could gain full control of the system by executing arbitrary OS commands as the DSM installation user, potentially leading to complete system compromise, data theft, or lateral movement.
Likely Case
Malicious insiders or attackers who have gained initial low-privileged access could escalate privileges to install malware, exfiltrate sensitive data, or maintain persistence on the system.
If Mitigated
With proper access controls and monitoring, exploitation would be limited to authorized low-privileged users and would be detectable through security monitoring.
🎯 Exploit Status
Exploitation requires local low-privileged access but the actual command execution appears to be straightforward based on the vulnerability description.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: DSM 2022.2 SU3 or later
Vendor Advisory: https://forums.ivanti.com/s/article/SA-2023-07-26-CVE-2023-28129
Restart Required: Yes
Instructions:
1. Download DSM 2022.2 SU3 or later from Ivanti support portal. 2. Backup current DSM configuration. 3. Install the update following Ivanti's upgrade documentation. 4. Restart the DSM service or server as required.
🔧 Temporary Workarounds
Restrict local user access
allLimit local user accounts on DSM servers to only essential personnel and implement strict access controls.
Implement privilege separation
allEnsure DSM installation user has minimal necessary privileges and is separate from administrative accounts.
🧯 If You Can't Patch
- Implement strict monitoring of local user activities and command execution on DSM servers
- Apply network segmentation to isolate DSM servers from critical systems and limit lateral movement potential
🔍 How to Verify
Check if Vulnerable:
Check DSM version via DSM web interface or by examining installation directory version files. Versions 2022.2 SU2 and earlier are vulnerable.Check Version:
On Windows: Check DSM installation directory for version files. On Linux: Check /opt/landesk/ directory or use DSM web interface administration panel.Verify Fix Applied:
Verify DSM version is 2022.2 SU3 or later after applying the patch. Check that the update was successfully installed through DSM administration interface.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution by low-privileged users
- Process creation with DSM installation user privileges from non-administrative accounts
- Failed privilege escalation attempts in system logs
Network Indicators:
- Unusual outbound connections from DSM servers
- Lateral movement attempts from DSM servers to other systems
SIEM Query:
source="dsm_logs" AND (event_type="command_execution" OR user_privilege_change="escalation") AND user_privilege="low"