[German]After already admitting to two vulnerabilities in July 2023 that were exploited in hacks, Ivanti has confirmed another vulnerability in MobileIron Core (Ivanti Endpoint Manager Mobile, EPMM). According to a new security advisory from Ivanti, there is another vulnerability CVE-2023-35082 in Ivanti MobileIron Core version 11.2 and older that should be fixed by a software update to a new, still supported version.
Advertising
The vulnerability CVE-2023-35082
According to this Ivanti security advisory, dated August 2, 2023, there is an Authentication Bypass vulnerability in MobileIron Core version 11.2 and older. This Remote Unauthenticated API Access vulnerability CVE-2023-35082 has a CVSS score of 10.0, which is the highest possible score. The vulnerability allows authentication bypass in MobileIron Core version 11.2 and earlier versions, allowing attackers to access restricted features or resources of the application.
Ivanti writes that the vulnerability was accidentally fixed in MobileIron Core 11.3 when they were working on fixing a product bug there. The vulnerability was previously unknown. Ivanti officials say the risk is that an attacker could remotely access users' personally identifiable information and make limited changes to the server.
However, they say MobileIron Core 11.2 is no longer supported as of March 15, 2022. Therefore, Ivanti will not issue a patch or other workaround to address this vulnerability in 11.2 or earlier versions. Upgrading to the latest version of Ivanti Endpoint Manager Mobile (EPMM) is the best way to protect your environment from threats, it says.
Ivanti mentions security researchers from Rapid7, who were probably involved in discovering the vulnerability. The colleagues from Bleeping Computer have linked to the Rapid7 post, where details are listed. Indicators of Compromise (ICOs) are also listed there, which can be used to identify an attack.
In general, yes vulnerabilities in Ivanti Endpoint Manager Mobile, EPMM, are keeping administrators responsible for its deployment busy, as the product has been under attack via previously unknown vulnerabilities since at least April 2023. It was noticed by a hack of a platform used by 12 Norwegian ministries (see Patch your Ivanti EPMM – Norwegian government hacked via 0-day).
Advertising
Later a 2nd vulnerability has been revealed (I've covered that within my German blog post Patch your Ivanti EPMM – Norwegian government hacked via 0-day).
Warning: Probably many systems vulnerable
From Palo Alto Networks, as of Monday (July 31, 2023), I have a report stating that a Cortex Xpanse data analysis (as of July 24, 2023) for attack surface management revealed that a total of 85 countries have over 5,500 IEMM servers publicly accessible on the Internet in various versions. Regional statistics from this scan show that over 80 percent of these servers are located in Western countries and span multiple sectors and industries. These include government agencies, healthcare, law firms, universities, financial institutions, charities, and retail.
Publicly accessible Ivanti Endpoint Manager Mobile (EPMM) instances; source Palo Alto Networks.
Germany and the U.S. each had over 1,000 servers at this point. Threat researchers found by far the most attacks in Germany, followed by the U.S. and the U.K. (see also chart above).
Given the number of potentially vulnerable servers on the Internet running this software, it is very likely that many institutions or companies in different countries could become or have already become targets, according to Palo Alto security researchers Unit 42. Open source reports indicate that initial attacks most likely occurred before Ivanti knew about the vulnerability. US security authority CISA issued a warning, dated August 1, 2023, that Ivanti instances are becomming a target of attacks.
Advertising
