CVE-2023-35078 | CVSS 10 | Critical
CVE-2023-35082 | CVSS 10 | Critical
Ivanti, in partnership with Rapid7, have announced back to back critical vulnerabilities for Ivanti’s Endpoint Manager Mobile (EPMM) (formerly MobileIron). These vulnerabilities have been seen in the wild. Both of these vulnerabilities have achieved the maximum CVSS score of 10, this means this vulnerability is critical, if not an emergency to mitigate ASAP.
CVE-2023-35078 | Remote Unauthenticated API Access
A vulnerability has been discovered in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This vulnerability impacts all supported versions 11.10, 11.9 and 11.8. Older versions/releases are also at risk.
An unauthorized, remote (internet-facing) actor can access users’ personally identifiable information and can allow some limited changes to the server.
CVE-2023-35082 | Remote Unauthenticated API Access / Patch Bypass
As Rapid7’s team was investigating CVE-2023-35078, they discovered an additional vulnerability that Rapid7 considers a patch bypass for the CVE-2023-35078 patch. see Rapid7’s emergent threat response blog here and the AttackerKB assessment of the vulnerability.
Review Rapid7’s findings of CVE-2023-35082
https://attackerkb.com/topics/8vqyuSfHRq/cve-2023-35078
Indicators of Compromise (IOCs)
The following indicators of compromise are present in the Apache HTTP logs stored on the appliance.
The log file /var/log/httpd/https-access_log will have an entry showing a request to a targeted API endpoint, containing /mifs/aad/api/v2/ in the path and showing a HTTP response code of 200. Blocked exploitation attempts will show a HTTP response code of either 401 or 403.
For example:
192.168.86.34:58482 - - 2023-07-27--13-01-39 "GET /mifs/aad/api/v2/ping HTTP/1.1" 200 68 "-" "curl/8.0.1" 2509
More information found here:
https://attackerkb.com/topics/8vqyuSfHRq/cve-2023-35078
Remediation
Ivanti encourages customers using EPMM/MobileIron Core 11.2 and below to upgrade to a current supported ASAP.
Ivanti has released the following patches to address the issue:
- 11.10.0.2
- 11.9.1.1
- 11.8.1.1
Product versions no longer receiving support are also affected, and Ivanti has released a workaround as part of their response.
As always, you must threat-hunt in addition to any remediation steps. Remediation steps do not account for any potential persistence mechanisms that attackers could have left behind on the system, nor do they account for any potential lateral movement after the initial exploit. Patches only stop the specific vulnerability from being exploited further. As we have seen in the past, the initial exploit is often utilized to establish persistence and execute an attack later on.
Sources
https://www.ivanti.com/blog/vulnerability-affecting-mobileiron-core-11-2-and-older
https://thehackernews.com/2023/08/researchers-discover-bypass-for.html
