Threat Advisory: Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability (CVE-2023-35078)
mnemonic is currently involved in an incident response engagement where we have observed an attack using a zero day authentication bypass vulnerability. If exploited, the vulnerability can provide an unauthorised, remote actor access to users’ personally identifiable information, as well as limited changes to the server.
Updated 03.08.2023: Find updates at end of advisory
At a press meeting Monday the 24th of July, the Norwegian Government Security and Service Organisation (DSS) and the Norwegian National Security Authority (NSM) informed the public about a zero day vulnerability that have been exploited in an attack on DSS affecting 12 Ministries.
The authentication bypass vulnerability was discovered by security experts at mnemonic in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. Ivanti reports that the vulnerability impacts all supported versions – Version 11.4 releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk.
The vulnerability: CVE-2023-35078
A zero day vulnerability is a previously undiscovered flaw in a system, making it possible for a threat actor to exploit the vulnerability before a manufacturer or users are aware of it. Hence, it is difficult to protect against. We do not often observe zero days used in attacks.
This particular vulnerability has received a CVSS score of 10, meaning it is very easy to exploit and does not require particular tools or specialist competency to exploit.
Furthermore, it is easy to identify if the vulnerability has been exploited in your systems. By reviewing your logs, you should be able to see whether the API v2 endpoint in Ivanti EPMM has been exploited. The API v2 is accessible without any authentication by changing the URI path. The API documentation describes that https://[core server]/api/v2/ is the base URL for all API calls. If you prepend the path to a vulnerable endpoint, you need no authentication to execute commands like this: https://[core server]/vulnerable/path/api/v2/.
Recommendations
If you see access to unusual paths on your system where regular API calls, you should investigate further if you have exploitation of your system.
There is a patch available for supported versions of the product. It is recommended to patch the vulnerability immediately. If you are not able to patch due to that expertise is on vacation, then turn off the system or block access to it from the internet until you are able to patch.
Further details about the vulnerability are not publicly known. Are you in need of more information to evaluate whether your systems are at risk, feel free to reach out.
Detection coverage for mnemonic Managed Detection and Response (MDR) customers
Last week, mnemonic deployed a detection rule which triggers on traffic towards this URL originating from the internet.
Updates
03.08.2023
mnemonic researchers discovered a second zero-day vulnerability in Ivanti Endpoint Manager Mobile (EPMM). The Remote File Write vulnerability is assigned CVE-2023-35081 with a CVSS score of 7.2. We have observed active exploitation of CVE-2023-35078 in conjunction with CVE-2023-35081. Ivanti publicly disclosed the vulnerability on July 28, 2023 and a patch is available to fix the vulnerability.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) have released a joint Cybersecurity Advisory (CSA) “Threat Actors Exploiting Ivanti EPMM Vulnerabilities” [CISA advisory | NCSC-NO advisory] in response to active exploitation of CVE-2023-35078 and CVE-2023-35081. The advisory includes a list of indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs).
CISA added both CVE-2023-35078 and CVE-2023-35081 to its Known Exploited Vulnerabilities Catalog.