Latest Articles
Win a place @HackFu 2021 Community Edition!
Hello world! At JUMPSEC we’ve managed to get our hands on tickets to what is probably the greatest cyber security event in the calendar, HackFu! In order to be in with a chance of winning you simply need to complete the following challenge which you can download here (the download contains all the information needed to complete the challenge): https://drive.google.com/file/d/1WFU23lFzGtxW4U5_FPzlbM4auHSZTiGt/view?usp=sharing The deadline for submissions is 6th January 2021, we will announce the lucky winner on 8th January 2021. You don’t need to but feel free to add a bit of detail on your submission - we love hearing about the creative ways in which people solve our challenges. In order to be eligible to win a HackFu ticket you must be able to attend HackFu on Friday 29th January 2021 between 09:30 and 17:30 GMT (it is an online event due to the global pandemic) and you must be at least 18 years old. If you are the lucky winner we will request a postal address from you so that you can receive your HackFu survival pack which is necessary to participate. If you’re not eligible to win the tickets or are unable to attend then you are still very welcome to have a go at the challenge and even to submit your answers or ask us for some help if you get stuck - just let us know not to enter you into the prize draw.
December 21, 2020,jstester007
Advisory CVE-2020-13769 – Ivanti Unified Endpoint Manager SQL injection
Software: Ivanti Endpoint Manager Affected Versions: <= 2020.1; <= 2019.1.3 Vendor page: www.ivanti.com CVE Reference: CVE-2020-13769 Published: 13/11/2020 CVSS 3.1 Score: 7.4 - AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L Attack Vector: Remote, authenticated Credits: Andrei Constantin Scutariu, Lenk Ratchakrit, Calvin Yau Summary A number of web components in Endpoint Manager do not properly sanitize user input when executing SQL queries, leaving the application vulnerable to injection attacks towards the underlying database. On a standard installation with default options, the account used to query the database is database administrator.
November 13, 2020,Andrei Constantin Scutariu
Advisory CVE-2020-13772 - Ivanti Unified Endpoint Manager system information disclosure
Software: Ivanti Endpoint Manager Affected Versions: <= 2020.1.1 Vendor page: www.ivanti.com CVE Reference: CVE-2020-13772 Published: 13/11/2020 CVSS 3.1 Score: 5.3 - AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Attack Vector: Remote, unauthenticated Credits: Andrei Constantin Scutariu, Lenk Ratchakrit, Calvin Yau Summary Ivanti Unified Endpoint Manager’s “ldcient” component expose information about the system that could be used in further attacks against the system. Mitigation There is currently no fix for this issue. The vendor has yet to release a patch to address the vulnerability; it is advised to review the host configuration and monitor for suspicious activity. If possible, consider disabling or whitelisting access to the affected URLs.
November 13, 2020,Andrei Constantin Scutariu