The United States Director of the Cybersecurity and Infrastructure Security Agency (CISA) released a warning on Friday about the active exploitation of Ivanti EPMM (formerly MobileIron Core) Vulnerabilities.
CVE-2023-35078 is a critical vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM). The vulnerability allows threat actors to access personally identifiable information (PII) and gain the ability to make configuration changes on compromised systems.
CVE-2023-35081 enables an authenticated administrator to perform arbitrary file writes to the EPMM server. This vulnerability can be used in conjunction with CVE-2023-35078.
Ivanti’s EPMM solution is a widely used mobile management software engine that enables IT departments to set policies for mobile devices, applications, and content.
It counts government agencies around the world among its users, including a number in the U.S.
In July 2023, the Norwegian National Cyber Security Centre (NCSC-NO) became aware of Advanced persistent threat (APT) actors exploiting a zero-day vulnerability in Ivanti Endpoint Manager (EPMM), to target a Norwegian government network.
Ivanti confirmed that the threat actors exploited CVE-2023-35078 and released a patch on July 23, 2023.
Ivanti later determined actors could use CVE-2023-35078 in conjunction with another vulnerability, CVE-2023-35081, and released a patch for the second vulnerability on July 28, 2023.
EPMM is used widely across multiple governments, including in the U.S. Security platform Shodan showed dozens of agencies in the U.S. and Europe potentially exposed to the issue among thousands of other potential victims.
Exploitation of the Flaw
The APT actors exploited CVE-2023-35078 in public-facing Ivanti EPMM appliances since at least April 2023 in attacks directed against Norwegian entities, including a government network.
Mobile device management (MDM) systems are attractive targets for threat actors as they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability.
CVE-2023-35078 is a critical authentication bypass [CWE-288] vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM). The vulnerability allows unauthenticated access to specific application programming interface (API) paths.
Threat actors with access to these API paths can access PII such as names, phone numbers, and other mobile device details of users on the vulnerable system; make configuration changes to vulnerable systems; push new packages to mobile endpoints; and access Global Positioning System (GPS) data if enabled.
According to Ivanti, this vulnerability is a path traversal flaw with a CVSS v3 rating of 7.2. It permits an attacker to write any files onto the appliance.
CISA and NCSC-NO are concerned about the potential for widespread exploitation of both vulnerabilities in government and private sector networks because MDM systems provide elevated access to thousands of mobile devices.
Threat actors, including APT actors, have previously exploited a MobileIron vulnerability.
CISA recommends administrators use the CISA-developed nuclei template to determine the Ivanti EPMM vulnerabilities.
CISA and NCSC-NO recommend organizations Upgrade Ivanti EPMM versions to the latest version as soon as possible and to Treat MDM systems as high-value assets (HVAs) with additional restrictions and monitoring.
Also, CISA and NCSC-NO encourage organizations to hunt for malicious activity using the detection guidance in this Cybersecurity Advisory (CSA).