Get a free application, infrastructure and malware scan report - Scan Your Website Now

Remote Unauthenticated API Access Vulnerabilities in Ivanti

Posted DateAugust 8, 2023
Posted Time 3   min Read

Ivanti has warned users of its Endpoint Manager Mobile (EPMM) mobile device management (MDM) platform, urging immediate actions to address two vulnerabilities – including a zero-day exploit.

These vulnerabilities can potentially be exploited by an unauthorized attacker, leading to unauthorized access to sensitive data and the execution of malicious actions on the affected system.

Analyzing Identified API Access Vulnerabilities

Formerly known as MobileIron Core, Ivanti Endpoint Manager Mobile (EPMM) is a management platform that provides organizations with the means to manage mobile devices, including smartphones and tablets.

As of now, Ivanti has disclosed two remote API access vulnerabilities:

  • CVE-2023-35078 (July 24, 2023)
  • CVE-2023-35082 (August 2, 2023)

CVE-2023-35078 

Severity: Critical

CVSSv3.1: Base Score: 10.0 CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSSv2: Base Score: 9.3 HIGH

Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Exploit available in public: Yes.

Exploit complexity: Low

CVE-2023-35078 is a remote unauthenticated API access vulnerability that affects Ivanti EPMM. An unauthorized attacker can potentially exploit this vulnerability to gain unauthorized access to sensitive data and perform malicious actions on the affected system.

Successful exploitation of this vulnerability could lead to various security risks, including but not limited to:

  1. Unauthorized access to sensitive information stored within Ivanti EPMM.
  2. Execution of unauthorized administrative actions, potentially compromising the integrity and availability of your data and resources
  3. Unintended disclosure of confidential data to unauthorized parties

All supported versions, including Version 11.4 with its releases 11.10, 11.9, and 11.8, are affected by this vulnerability. Furthermore, this issue also extends to product versions that no longer receive support.

In response to the identified vulnerability, Ivanti promptly released patches for versions 11.8.1.1, 11.9.1.1, and 11.10.0.2

For EPMM Unsupported Releases (<11.8.1.0), Ivanti highly recommends upgrading to the latest version of EPMM; if you cannot upgrade, apply an RPM fix.

Active Exploitations

Ivanti has confirmed instances of CVE-2023-35078 being exploited in real-world scenarios, impacting a “very limited number of customers.” Further validating this, the Norwegian National Security Authority (NSM) has affirmed the utilization of CVE-2023-35078 to breach a government-operated software platform.

In parallel, the CISA also issued an advisory regarding the vulnerability, incorporating it into their Known Exploited Vulnerabilities (KEV) list.

CVE-2023-35082 

Severity: Critical

CVSSv3.1: Base Score: 10.0 CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSSv2: Base Score: 9.3 HIGH

Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Exploit available in public: Yes.

Exploit complexity: Low

CVE-2023-35082 is another remote unauthenticated API access vulnerability that affects Mobilelron Core versions 11.2 and older. Like CVE-2023-35078, this vulnerability can enable a remote unauthenticated attacker to access API endpoints on a publicly exposed management server, utilizing them for diverse operations.

The vulnerability was incidentally resolved in MobileIron Core 11.3 as part of work on a product bug.

Note: MobileIron Core 11.2 has been out of support since March 15, 2022.

Prevention and Mitigation

  • Without delay, apply the relevant updates provided by Ivanti to vulnerable systems, following proper testing.
  • Employ vulnerability scanning to identify possible software vulnerabilities that require mitigation.
  • Implement the pinciple of least privilege across all systems and services. Running software with non-administrative privileges helps minimize the impact of a successful attack.

AppTrana WAAP Threat Coverage

AppTrana customers are protected from these vulnerabilities from Day 0.

Apart from the patches provided by the vendor, AppTrana WAAP offers additional protection patterns that can serve as an extra layer of defense against potential exploits.

To ensure the security of our customers, Indusface managed security team developed the rules to generate Ivanti-related alerts and block attempts to exploit.

Rule ID Name
99901 Remote Unauthenticated API Access Vulnerability (CVE-2023-35078)

 

Reference:

  • Advisory : https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US
  • Advisory : https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older?language=en_US
  • Patch : https://forums.ivanti.com/s/article/KB-Remote-unauthenticated-API-access-vulnerability-CVE-2023-35078?language=en_US

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

AppTrana WAAP

Mayank Kumar - Security Researcher R&D
Mayank Kumar

Mayank Kumar is a skilled Security Researcher at Indusface. With an expertise in developing detection logic and signatures for an array of security vulnerabilities, including 0-day vulnerabilities, he stands at the forefront of safeguarding digital landscapes. Fueling his passion for cyber defense, Mayank actively pursues learning new security concepts and eagerly takes on the challenge of solving vulnerable machines on platforms like TryHackMe and HackTheBox.

Share Article:

Join 51000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

Business Logic Vulnerability
Business Logic Vulnerability – Examples and Attack Prevention

Learn about business logic vulnerabilities with examples and prevention strategies to protect your applications from unauthorized access and manipulation.

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% customer recommendation for 4 consecutive years.

A Customers’ Choice for 2024, 2023 and 2022 - Gartner® Peer Insights™

The reviews and ratings are in!