Ivanti Endpoint Manager Mobile (EPMM), previously recognized as MobileIron, has a security issue that cyber attackers can exploit over the internet without requiring any password. While Ivanti has made updates available to address this problem, access to this information has curiously been limited.
NOTE: It was now confirmed that the Norwegian government was targeted using this vulnerability Post | LinkedIn
The security concern, tagged as CVE-2023-35078, that impacts versions 11.10, 11.9, and 11.8, as well as older installations that have reached their end-of-life. For the initial set, Ivanti provides updates to 11.8.1.1, 11.9.1.1, and 11.10.0.2 and strongly urges users to install them. For versions no longer supported, a temporary fix seems to be available in the form of an RPM that can effectively close the gap.
According to the great people at mnemonic which have been involved in the case, they discovered that you can just change the URI path to a vulnerable endpoint and you do not need to authenticate to execute commands on the system Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability (mnemonic.io)
Interestingly, according to Ivanti, this urgent security issue bears no relation to the recently patched CVE-2023-25690 vulnerability which is only a couple of weeks old. The advisory suggests that the current vulnerability appears to already be under active exploitation. Upon request, Ivanti will provide affected customers with a document designed to help analyze potentially impacted systems. However, it’s important to note that the receipt of this information is bound by a non-disclosure agreement (NDA) with Ivanti.
Although the company hasn’t officially acknowledged the active exploitation of the zero-day, a private bulletin reveals that Ivanti was informed by a “trusted source” that CVE-2023-35078 was indeed exploited in attacks against a limited number of customers.
According to the private advisory, they received credible information indicating exploitation targeting a very small group of customers, likely fewer than 10. However, no further details are available to share at this time.
Although the company hasn’t officially acknowledged the active exploitation of the zero-day, a private bulletin reveals that Ivanti was informed by a “trusted source” that CVE-2023-35078 was indeed exploited in attacks against a limited number of customers.
According to the private advisory, they received credible information indicating exploitation targeting a very small group of customers, likely fewer than 10. However, no further details are available to share at this time.
In a puzzling move, the associated knowledge base entry for Ivanti MobileIron MDM Unauthenticated API Access CVE-2023-35078 can only be accessed after logging in. The reasoning behind this perplexing information policy remains unclear.
In light of these security concerns, it is important for Ivanti Endpoint Manager Mobile users to take the necessary measures to secure their systems. Updates should be downloaded and installed promptly, and where possible, the impact on potentially vulnerable systems should be assessed.
According to Shodan there seems to be about 1500 organizations that have MobileIron that are publically available and according to some sources, there is already some exploiting this vulnerability.