Ivanti Endpoint Manager Mobile Vulnerability

This live blog contains information regarding a vulnerability in Ivanti Endpoint Manager Mobile. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on August 8, 2023.

Update 8 August 2023

11:00 | On the 7^th of August, Ivanti has published a new article regarding vulnerability CVE-2023-35082. On the 3^rd of August we already wrote about this vulnerability, impacting version 11.2 and older of MobileIron Core/Endpoint Manager Mobile (EPMM).

The new article states that not only the unsupported version 11.2 is impacted, but also all current supported versions. This is significant as the CVSS-score of 10 and the impact of the vulnerability have not changed. Additionally, there is a public proof-of-concept exploit already available. The new added impacted versions are:

• 8.1.2
• 9.1.2
• 10.0.3
• 7 and below (MobileIron Core)

Ivanti has released an RPM-script to address CVE-2023-35082. This script does not solve prior vulnerabilities CVE-2023–35078 and CVE-2023–35081.

More information about the exploit and the RPM-script can be found here:

• https://forums.ivanti.com/s/article/KB-Remote-Unauthenticated-API-Access-Vulnerability-CVE-2023-35082?language=en_US

Call to action

• Upgrade to version 11.8.1.2, 11.9.1.2 or 11.10.0.3 to address CVE-2023–35078 and CVE-2023–35081;
• Apply the RPM-script to address CVE-2023-35082;
• Search the logs in /var/log/httpd for suspicious paths, for example with the following command:
  • zgrep -E “\/.+\/.+\/api\/v2\/” /var/log/httpd/*
• Perform additional scanning to identify potential exploitation. This can be done using the Nextron THOR scanner, as described in our update on the 4^th of August.

If you find anything suspicious, would like a thorough scan of the system or prefer our assistance, please contact T-CERT via [email protected]. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In case of an emergency, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.

Update 4 August 2023

16:00 | On the 3^rd of August, an exploit has been made publicly available regarding CVE-2023-35082. This exploit is similar to the exploit for CVE-2023–35078 but using a different path. The detection steps mentioned in our post on the 26^th of July for CVE-2023–35078 also apply to this vulnerability.

More information about the exploit can be found here:

• https://twitter.com/wdormann/status/1687105991287123968

Our partner Nextron has published a blog describing step-by-step how to use their THOR APT scanner to identify potential exploitation of CVE-2023-35078, CVE-2023-35081 and/or CVE-2023-35082 on your Ivanti EPMM / Mobile Iron Core appliance. This blog leverages the THOR Lite scanner and explains how the scan can be performed.

T-CERT can perform an even more thorough scan for you by using the full version of the THOR APT scanner. In addition, we will interpret the scan results and supply you with an advice.

The blog published by Nextron can be found here:

• https://www.nextron-systems.com/2023/07/25/how-to-scan-ivanti-endpoint-manager-mobile-epmm-mobileiron-core-for-cve-2023-35078-exploitation/

If you prefer our assistance, please contact T-CERT via [email protected]. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In case of an emergency, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.

Update 3 August 2023

15:00 | On the 2^nd of Augustus, Ivanti has published a security blog regarding a new critical vulnerability. The vulnerability is registered as CVE-2023-35082 and classified as an authentication bypass vulnerability in MobileIron Core/Endpoint Manager Mobile (EPMM). When exploited, the vulnerability allows an unauthenticated remote attacker to potentially access users’ personally identifiable information and make limited changes to the server. The vulnerability has a CVSS score of 10, which implies a low attack complexity and high risk of exploitation with high impact.

The vulnerability exists in versions 11.2 and older and is solved in version 11.3. Versions 11.2 is end-of-support since the 15^th of March 2022. It is advised to use supported versions of products only. If you use a supported version of the product and have applied the patches required for the earlier two vulnerabilities (CVE-2023-35078 and CVE-2023-35081) no action is required.

More information regarding CVE-2023-35082 can be found here:

• https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older

If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.

Update 31 July 2023

12:00 | A proof-of-concept exploit for CVE-2023-35078 has been published on GitHub. This was expected based on the already available information and the low complexity of the vulnerability. The vulnerability was already exploited by a specific adversary group but is now also publicly available. Exploitation with the proof-of-concept exploit will be detected in the logging using the earlier shared instructions.

If an Ivanti Endpoint Manager Mobile (EPMM) server is not patched for CVE-2023-35078 at this moment, it should be considered compromised. It is advised to investigate the appliance for exploitation of the vulnerability. Please contact T-CERT for assistance at [email protected].

The proof-of-concept exploit can be found here:

• https://github.com/vchan-in/CVE-2023-35078-Exploit-POC/tree/main

Additionally, a new vulnerability has been published for EPMM and is registered as CVE-2023-35081. The vulnerability enables an authenticated administrator to perform arbitrary file writes to the EPMM server. This vulnerability can be used in conjunction with CVE-2023-35078, bypassing administrator authentication and ACL restrictions. The following supported versions of Ivanti EPMM are vulnerable:

• Version 11.4 releases 11.10.0.2, 11.9.1.1 and 11.8.1.1 or earlier;
• Older versions/releases

Security updates are available. Please upgrade as soon as possible to one of the following versions:

• EPMM 11.8.1.2
• EPMM 11.9.1.2
• EPMM 11.10.0.3

The advisory of Ivanti regarding CVE-2023-35081 can be found here:

• https://forums.ivanti.com/s/article/KB-Arbitrary-File-Write-CVE-2023-35081?language=en_US

If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.

Update 26 July 2023

12:30 | Norwegian cyber security company Mnemonic has published a blog containing more detailed information regarding the vulnerability CVE-2023-35078 and its discovery. The details provided combined with the low complexity of the vulnerability and other published information makes performing the exploit straightforward. It is highly likely that other actors have access to this information as well and will exploit this vulnerability. Therefor it is highly recommended to apply the provided security updates as soon as possible!

Additionally, it is advised to inspect the HTTP logs for suspicious requests. As described in the blog by Mnemonic, the base URL for all API calls is https://[core server]/api/v2/. If you add the path to a vulnerable endpoint, you need no authentication to execute commands. Like this: https://[core server]/<vulnerable>/<path>/api/v2/. After you applied the patch, it is highly recommended to inspect the HTTP logs stored in /var/log/httpd for suspicious requests containing the following pattern:

• /<vulnerable>/<path>/api/v2/

For example, with the following command:

• zgrep -E “\/.+\/.+\/api\/v2\/” /var/log/httpd/*

If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.

Update 25 July 2023

10:00 | On the 24^th of July, Ivanti has released a security blog describing a critical vulnerability. The vulnerability is registered as CVE-2023-35078 and allows an unauthenticated remote attacker to access users’ personally identifiable information and make limited changes to the server, including the creation of an EPMM administrative account that can make further changes to a vulnerable system.

Exploits of CVE-2023-35078 have been observed in the wild against a very small number of customers. Ivanti has released software updates. It is highly recommended to apply these security patches as soon as possible.