CVE-2023-35078: Ivanti Endpoint Manager Mobile (EPMM) / MobileIron Core Unauthenticated API Access Vulnerability

Critical vulnerability in a popular mobile device management solution from Ivanti has been exploited in the wild in limited attacks

Background

On July 24, a post from Heise Online (English translation) detailed a recently patched zero-day vulnerability in Ivanti Endpoint Manager Mobile (EPMM), a mobile management software that can be used for mobile device management (MDM), mobile application management (MAM) and mobile content management (MCM). It was formerly known as MobileIron Core prior to its acquisition by Ivanti in 2020.

Ivanti has published a blog post and a public advisory for this vulnerability that contains additional information, however further details are available in a knowledge base (KB) article only accessible to Ivanti customers.

On July 28, Ivanti published an advisory for an additional vulnerability that was exploited in the wild as a zero-day and used in conjunction with CVE-2023-35078.

Researchers at mnemonic are credited with discovering this additional zero-day vulnerability. In a blog post about the flaw, the researchers say they observed it "being used in combination with CVE-2023-35078 to write JSP and Java .class files to disk."

Analysis

CVE-2023-35078 is an authentication bypass vulnerability in Ivanti’s EPMM. An unauthenticated, remote attacker could exploit this vulnerability to gain access to the server’s application programming interface (API) that is normally only accessible to authenticated users. Successful exploitation would allow an attacker to be able to access “specific API paths” according to an alert from the Cybersecurity and Infrastructure Security Agency (CISA).

These API paths could allow an attacker to obtain personally identifiable information (PII) from the server that may include but is not limited to names, phone numbers, and details about the mobile devices being managed by EPMM.

Additionally, an attacker could potentially utilize the unrestricted API paths to modify a server’s configuration file, which could result in the creation of an admin account on the server that would allow the attacker to “make further changes to a vulnerable system.”

Knowledge Base article restricted to customers-only

Additional details surrounding CVE-2023-35078 are currently restricted to a knowledge base article that is only accessible to customers with valid login credentials. Tenable was provided access to the support article and our blog post reflects what we currently know about this vulnerability.

Confirmed exploitation of CVE-2023-35078 as a zero-day

According to the knowledge base article and blog post from Ivanti as well as a BleepingComputer report, the vulnerability was exploited in the wild as a zero-day “against a very small number of customers (e.g., less than 10).” The article does not provide any other specifics about the in-the-wild exploitation. The KB article does recommend that if a customer thinks they are impacted, they can request an “Analysis Guidance” document from Ivanti support.

Attack against 12 Norwegian government ministries linked to CVE-2023-35078

Runa Sandvik, a security researcher and founder of Granitt, noted that according to a LinkedIn post from Nasjonal sikkerhetsmyndighet, the Norwegian National Security Authority, a cyber attack against twelve Norwegian government ministries first discovered on July 12 has been linked to the exploitation of CVE-2023-35078:

Norwegian National Security Authority shared details about the supply chain attack disclosed this morning: a zero day in Ivanti Endpoint Manager, used by the Government Security and Service Organization (DSS). https://t.co/TYLWVCGUOn

— Runa Sandvik (@runasand) July 25, 2023

Probing of vulnerable EPMM systems has already begun

Security researcher Kevin Beaumont called the vulnerability “completely nuts,” adding that a honeypot he set up is “already being probed via the API”

Joint advisory from government agencies provides insights into real-world attacks

On August 1, the Cybersecurity and Infrastructure Security Agency (CISA) along with the Norwegian National Cyber Security Centre (NCSC-NO) published AA23-213A, a joint cybersecurity advisory (CSA) that provides insights into the attacks conducted against Norwegian organizations. This CSA from CISA and the NCSC-NO includes indicators of compromise (IOCs) along with tactics, techniques, and procedures (TTPs) discovered through investigations into these attacks. For more information, please review the CSA.

Proof of concept

At the time this blog post was published, there was no public proof-of-concept available for CVE-2023-35078 and CVE-2023-35081.

Solution

The following table details the affected and fixed versions of Ivanti EPMM for both CVE-2023-35078 and CVE-2023-35081:

Ivanti also highlights that unsupported versions of EPMM prior to 11.8.1.0 (CVE-2023-35078) and 11.8.1.1 (CVE-2023-35081) are also affected and that customers using these unsupported versions are recommended to upgrade to a supported version. However, if upgrading is not possible to address CVE-2023-35078, Ivanti has provided a temporary fix in the form of an RPM Package Manager file that will remain in place during reboots but will not persist following an upgrade. For more information on applying the RPM fix, customers should refer to the KB article.

Identifying affected systems

Organizations that use Ivanti EPMM can utilize the following detection plugins to identify assets within their environments:

* Please note that the names of these plugins are subject to change but the plugin IDs will remain the same.

A list of Tenable plugins to identify can be located on the individual CVE pages for CVE-2023-35078 and CVE-2023-35081 as they’re released. This link will display all available plugins for each vulnerability, including upcoming plugins in our Plugins Pipeline.

Get more information

• Heise Online Article: Ivanti closes zero-day gap in MobileIron
• Ivanti Blog Post: CVE-2023-35078 - New Ivanti EPMM Vulnerability
• Ivanti Article 000087041: CVE-2023-35078 - Remote Unauthenticated API Access Vulnerability
• Ivanti KB Remote unauthenticated API access vulnerability - CVE-2023-35078
• Ivanti Article 000087119: CVE-2023-35081 - Remote Arbitrary File Write
• KB Remote Arbitrary File Write - CVE-2023-35081
• LinkedIn Post from Norwegian National Security Authority (NSM)
• AA23-213A: Threat Actors Exploiting Ivanti EPMM Vulnerabilities (CISA and NCSC-NO)

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.