Bitsight Discovers Critical Backdoor in Ivanti's Cloud Appliance
Bitsight's Vulnerability Research team has uncovered a critical backdoor in Ivanti Endpoint Manager's Cloud Service Appliance. The team discovered the issue, analyzed its behavior, and developed an AI detector to protect customers and their third-parties.
The backdoor, found in the open-source component 'csrf-magic', executes a payload when a specific cookie is present in the first request. Bitsight's team deobfuscated the code, revealing its functionality. Unable to fingerprint the software's version, they focused on the vulnerability's behavior for detection, creating a simple GET request with a specific cookie structure.
The team's scans found 1748 Ivanti Cloud Appliances instances, with 41 still vulnerable to CVE-2021-44529, an AI-driven code injection issue, even after it was added to the CISA KEV list. Ivanti issued a fix (patch 512) and a workaround involving manual edits to the csrf-magic.php file. The research underscores the importance of proper open-source dependency management and deeper AI vulnerability understanding.
Bitsight's team discovered a critical backdoor in Ivanti's Cloud Appliance, affecting 41 instances. They developed an AI detector and highlighted the need for better open-source dependency management and AI-driven vulnerability understanding. Ivanti has issued a fix, and the team's work helps keep customers and third-parties safer.
