Remote Unauthenticated API Access Vulnerabilities in Ivanti

Ivanti has warned users of its Endpoint Manager Mobile (EPMM) mobile device management (MDM) platform, urging immediate actions to address two vulnerabilities – including a zero-day exploit.

These vulnerabilities can potentially be exploited by an unauthorized attacker, leading to unauthorized access to sensitive data and the execution of malicious actions on the affected system.

Analyzing Identified API Access Vulnerabilities

Formerly known as MobileIron Core, Ivanti Endpoint Manager Mobile (EPMM) is a management platform that provides organizations with the means to manage mobile devices, including smartphones and tablets.

As of now, Ivanti has disclosed two remote API access vulnerabilities:

• CVE-2023-35078 (July 24, 2023)
• CVE-2023-35082 (August 2, 2023)

CVE-2023-35078 

Severity: Critical

CVSSv3.1: Base Score: 10.0 CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSSv2: Base Score: 9.3 HIGH

Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Exploit available in public: Yes.

Exploit complexity: Low

CVE-2023-35078 is a remote unauthenticated API access vulnerability that affects Ivanti EPMM. An unauthorized attacker can potentially exploit this vulnerability to gain unauthorized access to sensitive data and perform malicious actions on the affected system.

Successful exploitation of this vulnerability could lead to various security risks, including but not limited to:

1. Unauthorized access to sensitive information stored within Ivanti EPMM.
2. Execution of unauthorized administrative actions, potentially compromising the integrity and availability of your data and resources
3. Unintended disclosure of confidential data to unauthorized parties

All supported versions, including Version 11.4 with its releases 11.10, 11.9, and 11.8, are affected by this vulnerability. Furthermore, this issue also extends to product versions that no longer receive support.

In response to the identified vulnerability, Ivanti promptly released patches for versions 11.8.1.1, 11.9.1.1, and 11.10.0.2

For EPMM Unsupported Releases (<11.8.1.0), Ivanti highly recommends upgrading to the latest version of EPMM; if you cannot upgrade, apply an RPM fix.

Active Exploitations

Ivanti has confirmed instances of CVE-2023-35078 being exploited in real-world scenarios, impacting a “very limited number of customers.” Further validating this, the Norwegian National Security Authority (NSM) has affirmed the utilization of CVE-2023-35078 to breach a government-operated software platform.

In parallel, the CISA also issued an advisory regarding the vulnerability, incorporating it into their Known Exploited Vulnerabilities (KEV) list.

CVE-2023-35082 

Severity: Critical

CVSSv3.1: Base Score: 10.0 CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSSv2: Base Score: 9.3 HIGH

Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Exploit available in public: Yes.

Exploit complexity: Low

CVE-2023-35082 is another remote unauthenticated API access vulnerability that affects Mobilelron Core versions 11.2 and older. Like CVE-2023-35078, this vulnerability can enable a remote unauthenticated attacker to access API endpoints on a publicly exposed management server, utilizing them for diverse operations.

The vulnerability was incidentally resolved in MobileIron Core 11.3 as part of work on a product bug.

Note: MobileIron Core 11.2 has been out of support since March 15, 2022.

Prevention and Mitigation

• Without delay, apply the relevant updates provided by Ivanti to vulnerable systems, following proper testing.
• Employ vulnerability scanning to identify possible software vulnerabilities that require mitigation.
• Implement the pinciple of least privilege across all systems and services. Running software with non-administrative privileges helps minimize the impact of a successful attack.

AppTrana WAAP Threat Coverage

AppTrana customers are protected from these vulnerabilities from Day 0.

Apart from the patches provided by the vendor, AppTrana WAAP offers additional protection patterns that can serve as an extra layer of defense against potential exploits.

To ensure the security of our customers, Indusface managed security team developed the rules to generate Ivanti-related alerts and block attempts to exploit.