Threat Advisory: Remote File Write Vulnerability in Ivanti EPMM (CVE-2023-35081)
mnemonic researchers have discovered a new zero day vulnerability in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This is different from the Authentication Bypass vulnerability CVE-2023-35078 disclosed earlier this week.
Updated 03.08.2023: Find updates at end of advisory
We have been working together with Ivanti to disclose and patch the vulnerability, which is being tracked as CVE-2023-35081. The vulnerability has received a CVSS score of 7.2, meaning its severity is categorised as high.
Remote File Write (RFW) vulnerabilities pose serious threats to system security.
The vulnerability: CVE-2023-35081
A Remote File Write vulnerability is a type of security flaw that allows an attacker to create, modify, or delete files on a victim's system remotely. This could potentially lead to a broad spectrum of attacks, including data breaches and system takeovers.
We have observed this exploit being used in combination with CVE-2023-35078 to write JSP and Java .class files to disk.
These files were loaded into a running Apache Tomcat instance and enabled an external actor to run malicious java bytecode on the affected servers.
Affected Systems
Ivanti reports the vulnerability impacts all supported versions of Ivanti Endpoint Manager Mobile (EPMM) – Version 11.4 releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk.
Recommendations
Patch your Ivanti EPMM instance and follow Ivanti recommendations.
Are you in need of more information to evaluate whether your systems are at risk, feel free to reach out.
Detection coverage for mnemonic Managed Detection and Response (MDR) customers
mnemonic has deployed a detection rule specifically for this CVE.
Updates
03.08.2023
The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) have released a joint Cybersecurity Advisory (CSA) “Threat Actors Exploiting Ivanti EPMM Vulnerabilities” [CISA advisory | NCSC-NO advisory] in response to active exploitation of CVE-2023-35078 and CVE-2023-35081. The advisory includes a list of indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs).
CISA added both CVE-2023-35078 and CVE-2023-35081 to its Known Exploited Vulnerabilities Catalog.