Wednesday, December 6, 2023

CISA Published a Warning About Ivanti EPMM Zero-day Vulnerabilities

The United States Director of the Cybersecurity and Infrastructure Security Agency (CISA) released a warning on Friday about the active exploitation of Ivanti EPMM (formerly MobileIron Core) Vulnerabilities.

CVE-2023-35078 is a critical vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM). The vulnerability allows threat actors to access personally identifiable information (PII) and gain the ability to make configuration changes on compromised systems.

CVE-2023-35081 enables an authenticated administrator to perform arbitrary file writes to the EPMM server. This vulnerability can be used in conjunction with CVE-2023-35078.

Ivanti’s EPMM solution is a widely used mobile management software engine that enables IT departments to set policies for mobile devices, applications, and content.

It counts government agencies around the world among its users, including a number in the U.S.

In July 2023, the Norwegian National Cyber Security Centre (NCSC-NO) became aware of Advanced persistent threat (APT) actors exploiting a zero-day vulnerability in Ivanti Endpoint Manager (EPMM), to target a Norwegian government network.

Ivanti confirmed that the threat actors exploited CVE-2023-35078 and released a patch on July 23, 2023.

Ivanti later determined actors could use CVE-2023-35078 in conjunction with another vulnerability, CVE-2023-35081, and released a patch for the second vulnerability on July 28, 2023.

EPMM is used widely across multiple governments, including in the U.S. Security platform Shodan showed dozens of agencies in the U.S. and Europe potentially exposed to the issue among thousands of other potential victims.

Exploitation of the Flaw

The APT actors exploited CVE-2023-35078 in public-facing Ivanti EPMM appliances since at least April 2023 in attacks directed against Norwegian entities, including a government network.

Mobile device management (MDM) systems are attractive targets for threat actors as they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability.

CVE-2023-35078 is a critical authentication bypass [CWE-288] vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM). The vulnerability allows unauthenticated access to specific application programming interface (API) paths.

Threat actors with access to these API paths can access PII such as names, phone numbers, and other mobile device details of users on the vulnerable system; make configuration changes to vulnerable systems; push new packages to mobile endpoints; and access Global Positioning System (GPS) data if enabled.

According to Ivanti, this vulnerability is a path traversal flaw with a CVSS v3 rating of 7.2. It permits an attacker to write any files onto the appliance.

CISA and NCSC-NO are concerned about the potential for widespread exploitation of both vulnerabilities in government and private sector networks because MDM systems provide elevated access to thousands of mobile devices.

Threat actors, including APT actors, have previously exploited a MobileIron vulnerability.

CISA recommends administrators use the CISA-developed nuclei template to determine the Ivanti EPMM vulnerabilities.

CISA and NCSC-NO recommend organizations Upgrade Ivanti EPMM versions to the latest version as soon as possible and to Treat MDM systems as high-value assets (HVAs) with additional restrictions and monitoring.

Also, CISA and NCSC-NO encourage organizations to hunt for malicious activity using the detection guidance in this Cybersecurity Advisory (CSA).

Keep yourself informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.


Latest articles

BlueNoroff: New Malware Attacking MacOS Users

Researchers have uncovered a new Trojan-attacking macOS user that is associated with the BlueNoroff APT...

Serpent Stealer Acquires Browser Passwords and Erases Intrusion Logs

Beneath the surface of the cyber realm, a silent menace emerges—crafted with the precision...

Doppelgänger: Hackers Employ AI to Launch Highly sophistication Attacks

It has been observed that threat actors are using AI technology to conduct illicit...

Kali Linux 2023.4 Released – What’s New!

Kali Linux 2023.4, the latest version of Offensive Security's renowned operating system, has been...

Trickbot Malware Developer Pleads Guilty & Faces 35 Years in Prison

A 40-year-old Russian national, Vladimir Dunaev, pleaded guilty for developing and deploying Trickbot malware....

ICANN Launches RDRS to Assist Law Enforcement Agencies to Discover Private Info

ICANN is a non-profit organization that is responsible for coordinating the global internet's-DNSIP address...

Hackers Use Weaponized Documents to Attack U.S. Aerospace Industry

An American aerospace company has been the target of a commercial cyberespionage campaign dubbed...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles