[German]Vendor Ivanti has had to warn about critical vulnerabilities in its Endpoint Manager Mobile (EPMM) several times in recent weeks and issue security updates. The starting point for this flood of security reports was that Norway's government was hacked via Ivanti-Zero-Day. For several weeks now, companies around the world – a great many of them also in Germany, Austria and Switzerland – have been reporting cyberattacks by exploiting various vulnerabilities in Ivanti Endpoint Manager Mobile. Palo Alto Networks or its Unit 42 has now published a summary of the status.
I had reported here on the blog about the security alerts that occurred (see article at the end of the post). Now Palo Alto has sent me a follow-up on these vulnerabilities in Ivanti Endpoint Manager Mobile (August 2023). I'm posting the information here on the blog for affected administrators, as it provides a good overview.
Palo Alto Status Overview
On July 24, 2023, Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, released details of a zero-day unauthenticated API access vulnerability. CVE-2023-35078 affects versions 11.10, 11.9 and 11.8, but older versions are also at risk of potential exploitation.
Since the first wave of attacks, three additional vulnerabilities have been discovered in Ivanti products. The first in MobileIron Core (CVE-2023-35082), a second vulnerability discovered in the Ivanti Avalanche product (CVE-2023-32560), and the third in the Ivanti Sentry product (CVE-2023-38035).
As of August 23, Unit 42's observations indicate a fairly consistent total number of Ivanti MobileIron servers on the Internet compared to the same analysis three weeks ago. It also notes that hundreds of IP addresses that previously showed older, vulnerable versions now have updated versions that should mitigate the known vulnerabilities. However, the experts also note that many Internet IP addresses today still serve Ivanti MobileIron and related services and report potentially vulnerable, not to mention unsupported, versions.
This vulnerability allows unauthenticated users full API access through certain API endpoints. According to the CISA advisory, malicious actors can use this access to extract personally identifiable information (PII) and perform administrative actions such as creating new accounts and making configuration changes without requiring credentials.
Vulnerability overview
As of August 23, three additional vulnerabilities in Ivanti products have been disclosed in the past three weeks:
- CVE-2023-35082 allows an attacker to gain unauthenticated remote API access in MobileIron Core 11.2 and older. This is similar to the original vulnerability in the set – CVE-2023-35078 – but covers some of the older versions of the product.
- CVE-2023-32560 allows an attacker to remotely exploit Ivanti Avalanche software without authentication, which could lead to the execution of arbitrary code on the vulnerable system.
- CVE-2023-38035 is currently being exploited in the wild to allow attackers to access sensitive admin portal configuration APIs via an API authentication bypass vulnerability in the Ivanti Sentry product. The colleagues at Bleeping Computer have published an article about it here.
Palo Alto Networks' Unit 42 recommends that users of the affected software upgrade to the latest versions that contain fixes for the vulnerability. It is especially important to check the topology of your network to ensure that all public Ivanti Endpoint Manager Mobile services are up to date with the latest patch.
For those unable to upgrade to fixed versions of the software, experts also recommend taking precautions to control access to vulnerable servers and thinking about restricting access to the public until they can be patched. All the latest details on this can be found in this blog post.
Similar articles:
Patch your Ivanti EPMM – Norwegian government hacked via 0-day
Vulnerability CVE-2023-35082 in Ivanti MobileIron Core (up to version 11.2)
New 0-day vulnerability CVE-2023-38035 in Ivanti Sentry