Ivanti patches another EPMM zero-day used to attack Norwegian government

Patch now, urges CISA

Ivanti patches another EPMM zero-day used to attack Norwegian government

Image:
Ivanti patches another EPMM zero-day used to attack Norwegian government

Mobile security vendor Ivanti has fixed another zero-day vulnerability in the Endpoint Manager Mobile (EPMM) software that was exploited alongside another zero-day fault to infiltrate the IT systems of a dozen ministries in Norway.

Ivanti's EPMM was previously known as MobileIron Core.

The newly discovered zero-day, identified as CVE-2023-35081 and with a CVSS score of 7.8, affects several supported versions, namely 11.10, 11.9, and 11.8, as well as versions that have reached their end-of-life (EoL).

CVE-2023-35081 is different from the authentication bypass vulnerability, CVE-2023-35078, which was addressed by the company last week.

CVE-2023-35081 is a path traversal flaw that grants an authenticated administrator the ability to conduct arbitrary file writes to the EPMM server.

"This vulnerability can be used in conjunction with CVE-2023-35078, bypassing administrator authentication and ACLs restrictions (if applicable)," Invanti said in its advisory.

"Successful exploitation can be used to write malicious files to the appliance, ultimately allowing a malicious actor to execute OS commands on the appliance as the Tomcat user."

In its knowledge base post, Ivanti said that CVE-2023-35078 plays a crucial role in reducing the complexity of executing CVE-2023-35081. The combination or chaining of these two vulnerabilities is what presents the most significant risk, as it potentially allows attackers to exploit them in tandem, thereby increasing the severity of the overall security threat.

The company says it is currently aware of the same limited number of customers who have been affected by CVE-2023-35078 as those impacted by CVE-2023-35081.

Ivanti credited Mnemonic for their valuable assistance in uncovering the vulnerability.

In an online post, Mnemonic reported that they had observed the use of this exploit in conjunction with CVE-2023-35078 to write JSP and Java .class files to disk.

"These files were loaded into a running Apache Tomcat instance and enabled an external actor to run malicious Java bytecode on the affected servers," Mnemonic said.

"Follow the recommendations of CVE-2023-35078, and have a look in your logs for the vulnerable path mention in the last advisory."

The US Cybersecurity and Infrastructure Security Agency (CISA) warned users in an alert last week that CVE-2023-35081 enables attackers with EPMM administrator privileges to write arbitrary files on the EPMM web application server with OS privileges.

"The attacker could then execute the uploaded file, for example, a web shell. To gain EPMM administrator privileges, the attacker could exploit CVE-2023-35078 on an unpatched system," it added.

CISA urged users and organisations to patch both CVE-2023-35081 and CVE-2023-35078.

CVE-2023-35078

Last week, Ivanti released a patch for CVE-2023-35078, a critical remote unauthenticated API access vulnerability in EPMM that impacted all supported versions of Ivanti's EPMM and allowed unauthorised remote actors to potentially access users' information and perform limited changes to the affected server.

The flaw was assigned the highest CVSS severity rating of 10.0.

Following criticism from security experts, who accused Ivanti of attempting to conceal the zero-day by placing it behind a subscriber-only registration wall, the company issued a public advisory.

In the advisory, Ivanti acknowledged the seriousness of the vulnerability and said it was aware of active exploitation of the bug against only a "very limited number" of customers.

The mobile security vendor has rejected reports suggesting a supply chain attack.

"Based on our analysis, Ivanti has not found any indication that this vulnerability was introduced into our code development process maliciously," the company said.