Flash Notice: UPDATE - Ivanti Endpoint Manager Mobile Zero-Day Exploited by Attackers

UPDATe (8/1/2023):

Last week, Avertium published a flash notice regarding CVE-2023-35078 – an authentication bypass zero-day vulnerability found in Ivanti’s Endpoint Manager Mobile (EPMM). This week, a second zero-day vulnerability (CVE-2023-35081) was discovered in EPMM. The new zero-day is a remote arbitrary file write vulnerability and could allow attackers to remotely create, modify, or delete files in the EPMM server.  

Ivanti's advisory states that the vulnerability is different from the original zero-day (CVE-2023-35078) and affects all supported versions/releases: 1.10, 11.9, and 11.8. Older versions/releases are also at risk. If someone successfully exploits this vulnerability, they can use it to create harmful files on the device. This could allow a malicious person to run operating system commands on the device, pretending to be the "tomcat" user. CVE-2023-35081 has a lower CVSS score of 7.2 because an attacker needs administrative privileges to exploit it. As of now, Ivanti is only aware of a limited number of customers impacted by the vulnerability. Please find Avertium's updated recommendations for patch guidance for CVE-2023-35081 below. 

overview

The IT giant, Ivanti has issued a security advisory regarding CVE-2023-35078 (also known as MobileIron) – an authentication bypass vulnerability impacting its widely used Endpoint Manager Mobile. The vulnerability has been exploited in zero-day attacks and impacts versions 11.10, 11.9, and 11.8, as well as older end-of-life installations of the software.

Successful exploitation of this flaw allows unauthenticated attackers to remotely access specific API paths, compromising personally identifiable information (PII), such as names, phone numbers, and mobile device details. Additionally, attackers can make configuration changes on compromised devices, including creating administrative accounts, granting them further control over vulnerable systems.

Although Ivanti has not publicly released indicators of compromise (IOCs), security experts believe that threat actors can quickly develop their own exploits using the information on the vulnerable endpoint, escalating the attacks. Ivanti has released a patch to address CVE-2023-35078 but has received criticism as the company initially took down its public advisory regarding the issue, placing it behind a paywall instead. The customer information in the advisory can only be accessed if you have an account.

All network administrators using Ivanti's Endpoint Manager Mobile must take immediate action and upgrade to the latest version of the product. CVE-2023-35078 has a CVSS score of 10 and will be heavily exploited as the weeks move forward. So far, 12 government agencies in Norway have been breached and the Cybersecurity and Infrastructure Security Agency (CISA) has advised that all U.S. federal agencies secure their systems by August 15, 2023. Most of the servers at risk are within the U.S, Germany, the United Kingdom, and Hong Kong.

avertium's recommendationS

• If you are an Ivanti customer, please upgrade to the latest Endpoint Manager Mobile versions: 
  • 11.8.1.1 
  • 11.9.1.1  
  • 11.10.0.2 
• You may find patch guidance by reading the Knowledge Base article linked in Ivanti’s advisory. Please note that to access guidance, you must login to your Ivanti account.  
• Monitor API logs for any unusual or suspicious activity, especially related to specific API paths that could indicate an attacker attempting to exploit the vulnerability. 
• Keep an eye on any unexpected or unauthorized configuration changes made to devices managed by Ivanti's Endpoint Manager Mobile. This could be a sign of unauthorized access and potential exploitation.

• Per Ivanti’s advisory, impacted customers should read this Knowledge Base article for detailed information on how to access and apply the remediations.  
• If you have questions or require further support, please log a case and/or request a call in the Success Portal. 

INDICATORS OF COMPROMISE (IoCs)

At this time, there are no known IoCs associated with CVE-2023-35078 or CVE-2023-35081.  Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.   

How Avertium is Protecting Our CUSTOMERS

• Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. See every threat in your attack surface, every device, every entry point, and every vulnerability. Our Attack Surface Management services include:
   
  • Risk Assessments
  • Pen Testing and Social Engineering
  • Infrastructure Architecture and Integration
  • Zero Trust Network Architecture
  • Vulnerability Management
• Avertium offers Vulnerability Management (VM) to provide a deeper understanding and control over organizational information security risks. If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.

SUPPORTING DOCUMENTATION