Last updated at Tue, 27 Feb 2024 17:17:44 GMT

CVE-2023-35078 is a remote unauthenticated API access vulnerability in Ivanti Endpoint Manager Mobile, which was previously branded as MobileIron Core. The vulnerability has a CVSS v3 base score of 10.0 and has a severity rating of Critical.

Ivanti has reported that they have received information from a credible source indicating active exploitation of CVE-2023-35078. A vendor supplied patch to remediate CVE-2023-35078 was released on July 24, 2023.

Background

Ivanti Endpoint Manager Mobile (EPMM) is used to configure and manage mobile devices and enforce security policies on those devices. According to Ivanti’s advisory, if exploited, CVE-2023-35078 enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server.

On July 24, 2023, the Norwegian National Security Authority (NSM) released a statement that CVE-2023-35078 was used in a zero-day attack to successfully compromise the Norwegian Security and Service Organization (DSS). Additionally, the US Cybersecurity & Infrastructure Security Agency (CISA) has also released an advisory for the vulnerability as well as adding the vulnerability to their Known Exploited vulnerabilities (KEV) catalog.

According to CISA’s advisory, the vulnerability allows a remote unauthenticated attacker to access personally identifiable information (PII) and add an administrator account on the affected EPMM server, to allow for further system compromise.

The Shadowserver project has listed 2,729 IP addresses on the internet that remain vulnerable to the issue (as of July 24, 2023).

Currently, no known public exploit code is available (as of July 26, 2023). If public exploit code becomes available, we expect more broad exploitation of vulnerable internet-facing systems. Organizations running the affected software are advised to apply the vendor patch as soon as possible.

Affected Products

Please note: Information on affected versions or requirements for exploitability may change as we learn more about the threat.

CVE-2023-35078 affects all supported versions of Ivanti Endpoint Manager Mobile (EPMM) prior to the vendor patch:

  • 11.10
  • 11.9
  • 11.8

Product versions no longer receiving support are also affected, and Ivanti has released a workaround as part of their response.

Ivanti has released the following patches to remediate the issue:

  • 11.10.0.2
  • 11.9.1.1
  • 11.8.1.1

Indicators of Compromise (IoC)

The following indicators of compromise are present in the Apache HTTP logs stored on the appliance.

The log file /var/log/httpd/https-access_log will have an entry showing a request to a targeted API endpoint, containing /mifs/aad/api/v2/ in the path and showing a HTTP response code of 200. Blocked exploitation attempts will show a HTTP response code of either 401 or 403. For example:

192.168.86.34:58482 - - 2023-07-27--13-01-39 "GET /mifs/aad/api/v2/ping HTTP/1.1" 200 68 "-" "curl/8.0.1" 2509

Rapid7 Customers

Instructions to install the patch or workaround are available on Ivanti's KB article (which requires a free login to access).

An unauthenticated (remote) check will be available to InsightVM customers in tonight’s (July 26, 2023) content release.

Updates

July 28, 2023: CISA issued a new alert for CVE-2023-35081, a remote arbitrary file write vulnerability in Ivanti EPMM. Both CISA and Ivanti have confirmed that the new CVE was exploited in the wild and chained together with CVE-2023-35078 to remotely execute malicious code on a compromised system.