LANDesk Management Server - Multiple Vulnerabilities
Multiple vulnerabilities of varying severity have been identified in LDMS 10.0.1.168 Service Update 5
The vendor has been notified of these vulnerabilities. This version is no longer being actively developed (end of life 12/31/2018), so these vulnerabilities will not be patched. However, fixes will be released for supported versions where applicable. These vulnerabilities affect the following LDMS modules:
- Managed endpoint security settings
- Provisioning
- Endpoint encryption / Mac file vault / Device Adminsitration
- Device Inventory / Vulnerability Management
These vulnerabilities range in severity from inconsequential to critical, and some can be used together to gain full administrative control of the LDMS server and/or a full takeover of managed endpoints.
A list of weaknesses found is as follows:
- (CWE-284) Improper Access Control
- (CWE-213) Intentional Information Disclosure
- (CWE-548) Information Exposure through Directory Listing
- (CWE-434) Unrestricted Upload of File with Dangerous Type
- (CWE-89) Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection')
- (CWE-327) Use of a Broken or Risky Cryptographic Algorithm
- (CWE-261) Weak Cryptography for Passwords
- (CWE-321) Use of a Hard-coded Cryptographic Key
- Additional unpublished weaknesses*
A list of confirmed vulnerabilities derived from those weaknesses is as follows:
- [CVE-2019-12375] LANDesk Management Server - Open Directories
- [CVE-2019-12373] LANDesk Management Server - Administrator Password Disclosure
- [CVE-2019-12377] LANDesk Management Server - Arbitrary File Upload
- [CVE-2019-12376] LANDesk Management Server - Hard-coded Encryption Key
- [CVE-2019-12374] LANDesk Management Server - SQL Injection
- Additional unpublished vulnerabilities*
*At least one additional vulnerability is confirmed to affect newer versions of LDMS. I will not publish these vulnerabilities until the vendor confirms that they have been patched.