Ivanti patches zero-day used to attack Norwegian government

Ivanti patches zero-day used to attack Norwegian government

Image:
Ivanti patches zero-day used to attack Norwegian government

Mobile security vendor Ivanti has patched a critical flaw in its Endpoint Manager Mobile (EPMM) software that was used to attack agencies of the Norwegian government.

The zero-day vulnerability, tracked as CVE-2023-35078, is an authentication bypass flaw that affects all supported versions of Ivanti's EPMM, formerly known as MobileIron Core. This vulnerability allows unauthorised, remote actors to potentially access users' information and make limited changes to the affected server.

"An attacker with access to these API paths can access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system," says the US Cybersecurity and Infrastructure Security Agency (CISA) in an advisory.

"An attacker can also make other configuration changes, including creating an EPMM administrative account that can make further changes to a vulnerable system."

The flaw has a maximum CVSS severity rating of 10.0.

After criticism by security experts that it was trying to hide the zero-day behind a-subscriber only registration wall, Ivanti issued a public advisory on Monday, acknowledging the severity of the vulnerability and stating that it was aware of active exploitation of the bug against a "very limited number" of customers.

"If exploited, this vulnerability enables an unauthorised, remote (internet-facing) actor to potentially access users' personally identifiable information and make limited changes to the server," Ivanti said.

"We have received information from a credible source indicating exploitation has occurred. We continue to work with our customers and partners to investigate this situation. We are only aware of a very limited number of customers that have been impacted. We are actively working with our customers and partners to investigate this situation."

The company says that all supported versions of EPMM, as well as older versions, are affected.

The flaw has already been used to attack agencies of the Norwegian government, with attackers able to access information on government systems. An enquiry into the potential breach is ongoing.

Norway's National Security Authority (NSM) confirmed that the attackers behind the breach exploited the zero-day vulnerability to compromise a software platform used by 12 ministries in the country.

However, it clarified that the Prime Minister's Office, the Ministry of Defence, the Ministry of Justice and the Ministry of Foreign Affairs were not affected by the cyberattack.

The Norwegian National Cyber Security Centre (NCSC) urged all users of EPMM to immediately install the security update from Avanti.

The country's data protection authority has been notified of the possible breach.