Quantcast
Channel: Tenable Blog
Viewing all articles
Browse latest Browse all 1935

CVE-2023-35078: Ivanti Endpoint Manager Mobile (EPMM) / MobileIron Core Unauthenticated API Access Vulnerability

$
0
0

Critical vulnerability in a popular mobile device management solution from Ivanti has been exploited in the wild in limited attacks

Background

On July 24, a post from Heise Online (English translation) detailed a recently patched zero-day vulnerability in Ivanti Endpoint Manager Mobile (EPMM), a mobile management software that can be used for mobile device management (MDM), mobile application management (MAM) and mobile content management (MCM). It was formerly known as MobileIron Core prior to its acquisition by Ivanti in 2020.

CVEDescriptionCVSSv3Severity
CVE-2023-35078Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability10.0Critical

Ivanti has published a blog post and a public advisory for this vulnerability that contains additional information, however further details are available in a knowledge base (KB) article only accessible to Ivanti customers.

Analysis

CVE-2023-35078 is an authentication bypass vulnerability in Ivanti’s EPMM. An unauthenticated, remote attacker could exploit this vulnerability to gain access to the server’s application programming interface (API) that is normally only accessible to authenticated users. Successful exploitation would allow an attacker to be able to access “specific API paths” according to an alert from the Cybersecurity and Infrastructure Security Agency (CISA).

These API paths could allow an attacker to obtain personally identifiable information (PII) from the server that may include but is not limited to names, phone numbers, and details about the mobile devices being managed by EPMM.

Additionally, an attacker could potentially utilize the unrestricted API paths to modify a server’s configuration file, which could result in the creation of an admin account on the server that would allow the attacker to “make further changes to a vulnerable system.”

Knowledge Base article restricted to customers-only

Additional details surrounding CVE-2023-35078 are currently restricted to a knowledge base article that is only accessible to customers with valid login credentials. Tenable was provided access to the support article and our blog post reflects what we currently know about this vulnerability.

Confirmed exploitation of CVE-2023-35078 as a zero-day

According to the knowledge base article and blog post from Ivanti as well as a BleepingComputer report, the vulnerability was exploited in the wild as a zero-day “against a very small number of customers (e.g., less than 10).” The article does not provide any other specifics about the in-the-wild exploitation. The KB article does recommend that if a customer thinks they are impacted, they can request an “Analysis Guidance” document from Ivanti support.

Attack against 12 Norwegian government ministries linked to CVE-2023-35078

Runa Sandvik, a security researcher and founder of Granitt, noted that according to a LinkedIn post from Nasjonal sikkerhetsmyndighet, the Norwegian National Security Authority, a cyber attack against twelve Norwegian government ministries first discovered on July 12 has been linked to the exploitation of CVE-2023-35078:

Probing of vulnerable EPMM systems has already begun

Security researcher Kevin Beaumont called the vulnerability “completely nuts,” adding that a honeypot he set up is “already being probed via the API”

Proof of concept

At the time this blog post was published, there was no public proof-of-concept available for CVE-2023-35078.

Solution

Based on the knowledge base article that was analyzed on July 25, the following table details the affected and fixed versions of Ivanti EPMM:

Affected Version of EPMMFixed Version of EPMM
11.10.1 and below11.10.0.2
11.9.1.0 and below11.9.1.1
11.8.1.011.8.1.1

Ivanti also highlights that unsupported versions of EPMM prior to 11.8.1.0 are also affected and that customers using these unsupported versions are recommended to upgrade to a supported version. However, if upgrading is not possible, Ivanti has provided a temporary fix in the form of an RPM Package Manager file that will remain in place during reboots but will not persist following an upgrade. For more information on applying the RPM fix, customers should refer to the KB article.

Identifying affected systems

Organizations that use Ivanti EPMM can utilize the following detection plugins to identify assets within their environments:

Plugin IDNameProductFamilySeverity
141340MobileIron Core DetectionNessusService detectionINFO
141341MobileIron Core API DetectionNessusService detectionINFO

* Please note that the names of these plugins are subject to change but the plugin IDs will remain the same.

A list of Tenable plugins to identify this vulnerability will appear here as they’re released. This link will display all available plugins for CVE-2023-35078 including upcoming plugins in our Plugins Pipeline.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.


Viewing all articles
Browse latest Browse all 1935

Trending Articles