Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

CVE-2023-35078: Ivanti Endpoint Manager Mobile (EPMM) / MobileIron Core Unauthenticated API Access Vulnerability

A zero-day vulnerability (identified as CVE-2023-35078) in Ivanti Endpoint Manager Mobile (EPMM) formerly MobileIron Core was exploited in the wild in limited attacks

Critical vulnerability in a popular mobile device management solution from Ivanti has been exploited in the wild in limited attacks

Update August 1: This blog has been updated to include a link to a joint cybersecurity advisory from CISA and the NCSC-NO that includes details about the in-the-wild exploitation of CVE-2023-35078.

View Change Log

Background

On July 24, a post from Heise Online (English translation) detailed a recently patched zero-day vulnerability in Ivanti Endpoint Manager Mobile (EPMM), a mobile management software that can be used for mobile device management (MDM), mobile application management (MAM) and mobile content management (MCM). It was formerly known as MobileIron Core prior to its acquisition by Ivanti in 2020.

CVE Description CVSSv3 Severity
CVE-2023-35078 Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability 10.0 Critical

Ivanti has published a blog post and a public advisory for this vulnerability that contains additional information, however further details are available in a knowledge base (KB) article only accessible to Ivanti customers.

On July 28, Ivanti published an advisory for an additional vulnerability that was exploited in the wild as a zero-day and used in conjunction with CVE-2023-35078.

CVE Description CVSSv3 Severity
CVE-2023-35081 Ivanti Endpoint Manager Mobile (EPMM) Arbitrary File Write Vulnerability 7.2 High

Researchers at mnemonic are credited with discovering this additional zero-day vulnerability. In a blog post about the flaw, the researchers say they observed it "being used in combination with CVE-2023-35078 to write JSP and Java .class files to disk."

Analysis

CVE-2023-35078 is an authentication bypass vulnerability in Ivanti’s EPMM. An unauthenticated, remote attacker could exploit this vulnerability to gain access to the server’s application programming interface (API) that is normally only accessible to authenticated users. Successful exploitation would allow an attacker to be able to access “specific API paths” according to an alert from the Cybersecurity and Infrastructure Security Agency (CISA).

These API paths could allow an attacker to obtain personally identifiable information (PII) from the server that may include but is not limited to names, phone numbers, and details about the mobile devices being managed by EPMM.

Additionally, an attacker could potentially utilize the unrestricted API paths to modify a server’s configuration file, which could result in the creation of an admin account on the server that would allow the attacker to “make further changes to a vulnerable system.”

Knowledge Base article restricted to customers-only

Additional details surrounding CVE-2023-35078 are currently restricted to a knowledge base article that is only accessible to customers with valid login credentials. Tenable was provided access to the support article and our blog post reflects what we currently know about this vulnerability.

Confirmed exploitation of CVE-2023-35078 as a zero-day

According to the knowledge base article and blog post from Ivanti as well as a BleepingComputer report, the vulnerability was exploited in the wild as a zero-day “against a very small number of customers (e.g., less than 10).” The article does not provide any other specifics about the in-the-wild exploitation. The KB article does recommend that if a customer thinks they are impacted, they can request an “Analysis Guidance” document from Ivanti support.

Attack against 12 Norwegian government ministries linked to CVE-2023-35078

Runa Sandvik, a security researcher and founder of Granitt, noted that according to a LinkedIn post from Nasjonal sikkerhetsmyndighet, the Norwegian National Security Authority, a cyber attack against twelve Norwegian government ministries first discovered on July 12 has been linked to the exploitation of CVE-2023-35078:

Probing of vulnerable EPMM systems has already begun

Security researcher Kevin Beaumont called the vulnerability “completely nuts,” adding that a honeypot he set up is “already being probed via the API”

Joint advisory from government agencies provides insights into real-world attacks

On August 1, the Cybersecurity and Infrastructure Security Agency (CISA) along with the Norwegian National Cyber Security Centre (NCSC-NO) published AA23-213A, a joint cybersecurity advisory (CSA) that provides insights into the attacks conducted against Norwegian organizations. This CSA from CISA and the NCSC-NO includes indicators of compromise (IOCs) along with tactics, techniques, and procedures (TTPs) discovered through investigations into these attacks. For more information, please review the CSA.

Proof of concept

At the time this blog post was published, there was no public proof-of-concept available for CVE-2023-35078 and CVE-2023-35081.

Solution

The following table details the affected and fixed versions of Ivanti EPMM for both CVE-2023-35078 and CVE-2023-35081:

CVE-ID Affected Versions of EPMM Fixed Versions of EPMM
CVE-2023-35078 11.10.1 and below 11.10.0.2 and above
11.9.1.0 and below 11.9.1.1 and above
11.8.1.0 and below 11.8.1.1 and above
CVE-2023-35081 11.10.0.2 and below 11.10.0.3
11.9.1.1 and below 11.9.1.2
11.8.1.1 and below 11.8.1.2

Ivanti also highlights that unsupported versions of EPMM prior to 11.8.1.0 (CVE-2023-35078) and 11.8.1.1 (CVE-2023-35081) are also affected and that customers using these unsupported versions are recommended to upgrade to a supported version. However, if upgrading is not possible to address CVE-2023-35078, Ivanti has provided a temporary fix in the form of an RPM Package Manager file that will remain in place during reboots but will not persist following an upgrade. For more information on applying the RPM fix, customers should refer to the KB article.

Identifying affected systems

Organizations that use Ivanti EPMM can utilize the following detection plugins to identify assets within their environments:

Plugin ID Name Product Family Severity
141340 MobileIron Core Detection Nessus Service detection INFO
141341 MobileIron Core API Detection Nessus Service detection INFO

* Please note that the names of these plugins are subject to change but the plugin IDs will remain the same.

A list of Tenable plugins to identify can be located on the individual CVE pages for CVE-2023-35078 and CVE-2023-35081 as they’re released. This link will display all available plugins for each vulnerability, including upcoming plugins in our Plugins Pipeline.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Change Log

Update August 1: This blog has been updated to include a link to a joint cybersecurity advisory from CISA and the NCSC-NO that includes details about the in-the-wild exploitation of CVE-2023-35078.

Update July 28: The Background, Proof of Concept, Solution and Identifying Affected Systems and Get More Information sections have been updated to highlight a newly disclosed zero-day vulnerability in Ivanti EPMM (CVE-2023-35081) that was exploited in the wild in conjunction with CVE-2023-35078.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.