Cybersecurity blog header

CVE-2023-35078: Remote authentication bypass in Ivanti EPMM API

- S.T.A².R.S Team

CVE-2023-35078 is a critical vulnerability

CVE-2023-35078 is a critical vulnerability that allows access to restricted functionality of Ivanti mobile management software

A new critical vulnerability has been discovered in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This vulnerability, identified as CVE-2023-35078, affects all supported versions, including versions 11.10, 11.9, and 11.8. Older versions are also at risk.

Ivanti Endpoint Manager Mobile (Ivanti EPMM) is mobile management software that allows companies to manage mobile devices, applications, and content.

CVE-2023-35078 is an authentication bypass vulnerability in Ivanti EPMM that allows unauthorized users to access restricted functionality or resources of the application without proper authentication. This vulnerability is rated as critical and has been given a maximum CVSS score of 10.

Main characteristics

The main features of CVE-2023-35078 vulnerability are listed below:

  • CVE Identifier: CVE-2023-35078
  • CVSS Score: 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
  • Publication Date: 25/07/2023
  • Affected Software: Ivanti Endpoint Manager Mobile (EPMM)
  • Affected Versions:
    • Ivanti Endpoint Manager Mobile (Core) – 11.0.0.0, 11.10.0.0, 11.4.1.0, 11.5.0.0, 11.6.0.0, 11.7, 11.7.0.0, 11.8.0.0, 11.9.0.0, 11.9.0.1
    • Access – r43, r45, R55
    • Cloud – R87, R90, R91
    • Ivanti Neurons for MDM (Cloud) – R91
    • Sentry – 9.13.0.0
    • Connect-Secure – 9.1Rx
    • Endpoint Manager – Endpoint Security 2022.1, Endpoint Manager 2019, Endpoint Manager 2020.1, Endpoint Manager 2021.1, Endpoint Manager 2022
    • Endpoint Security – Endpoint Security 8.6.0
    • Security Controls – Security Controls 2023.1

If this vulnerability is successfully exploited, an unauthorized remote actor could potentially access users’ personally identifiable information and make limited changes to the server.

It is important to note that Ivanti is aware that active exploitation of this vulnerability has already occurred. Therefore, both Ivanti and cybersecurity organizations are working together with customers and partners to investigate and mitigate this situation.

Mitigation

In response to this threat, Ivanti has acted swiftly and implemented a patch that is already available for supported versions of the product. If the system is running a compatible version, it is recommended to upgrade EPMM with the patch releases (11.8.1.1, 11.9.1.1, and 11.10.0.2) from the system manager portal.

For those using versions prior to 11.8.1.0, Ivanti strongly recommends upgrading to the latest version of EPMM to ensure the latest security and stability fixes. In case upgrading is not possible, Ivanti provides an RPM-based solution to apply a temporary patch.

However, it is crucial to update to a compatible EPMM version that allows permanent patch application.

CVE-2023-35078 affects Ivanti

Vulnerability Detection

To determine if the system has been affected, Ivanti provides a confidential «Analysis Guide» through customer support. So far, only a limited number of customers have been affected, and Ivanti is actively working with them to investigate. If assistance is needed, customers can open a support ticket or request a call through Success Portal. Additionally, Ivanti has stated that the company has not been compromised due to this vulnerability, affirming that it employs technology and security partners to prevent and respond to sophisticated threat actors.

A proof of concept for CVE-2023-35078 has been made public by Vaishno Chaitanya, available in their personal Github repository. The proof of concept includes a video of the exploit running against a vulnerable EPMM instance.

CVE-2023-35081

The US agency CISA added a second actively exploited vulnerability of Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities catalog.

This vulnerability, identified as CVE-2023-35081, joined the existing vulnerability CVE-2023-35078. CISA and the Norwegian National Cyber Security Centre (NCSC-NO) issued a joint warning in response to the active exploitation of both vulnerabilities. Ivanti released another patch for CVE-2023-35081 on July 28, 2023. The possibility of chaining the CVE-2023-35081 and CVE-2023-35078 vulnerabilities was observed.

The vulnerability affects versions 11.10, 11.9, and 11.8, and older versions are also at risk. Attackers can use this vulnerability to bypass administrator authentication and ACL restrictions, allowing them to execute system commands on the device as the user tomcat. The vulnerability was exploited in recent attacks against the ICT system used by twelve Norwegian government ministries.

It is noteworthy that mobile device management systems (MDM) are attractive targets for attackers, as compromising them provides elevated access to thousands of mobile devices. CISA and NCSC-NO warn of the potential for widespread exploitation of Ivanti vulnerabilities in government and private sector networks.

As part of their emerging vulnerabilities service, Tarlogic proactively monitors their clients’ perimeter to inform, detect, and urgently report the presence of this vulnerability, as well as other critical threats that could have a serious impact on asset security.