Pierluigi Paganini August 02, 2023

US CISA added a second actively exploited Ivanti ‘s Endpoint Manager Mobile (EPMM) vulnerability to its Known Exploited Vulnerabilities catalog.

US Cybersecurity and Infrastructure Security Agency (CISA) added the second actively exploited Ivanti ‘s Endpoint Manager Mobile (EPMM, formerly MobileIron Core) vulnerability, tracked as CVE-2023-35081, to its Known Exploited Vulnerabilities Catalog.

“The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) are releasing this joint Cybersecurity Advisory (CSA) in response to active exploitation of CVE-2023-35078 and CVE-2023-35081.” reads the advisory published by US CISA. “Ivanti released a patch for CVE-2023-35078 on July 23, 2023. Ivanti later determined actors could use CVE-2023-35078 in conjunction with another vulnerability CVE-2023-35081 and released a patch for the second vulnerability on July 28, 2023. NCSC-NO observed possible vulnerability chaining of CVE-2023-35081 and CVE-2023-35078.”

Ivanti states that an attacker can chain this vulnerability with CVE-2023-35078 to bypass administrator authentication and ACLs restrictions (if applicable).

“Successful exploitation can be used to write malicious files to the appliance, ultimately allowing a malicious actor to execute OS commands on the appliance as the tomcat user.” continues the advisory. “As of now we are only aware of the same limited number of customers impacted by CVE-2023-35078 as being impacted by CVE-2023-35081.”

The flaw impacts supported versions 11.10, 11.9, and 11.8, older versions/releases are also at risk.

The vulnerability is an authentication bypass issue impacting Ivanti Endpoint Manager Mobile (EPMM) mobile device management software (formerly MobileIron Core).

An unauthorized user can exploit the flaw to access restricted functionality or resources of the application without proper authentication.

The zero-day vulnerability was exploited by threat actors in recent attacks against the ICT platform used by twelve ministries of the Norwegian government.

The US agency pointed out that Mobile device management (MDM) systems are attractive targets for threat actors because by compromising them attackers can achieve elevated access to thousands of mobile devices.

CISA and NCSC-NO warn of the potential for widespread exploitation of Ivanti vulnerabilities in government and private sector networks.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this flaw by August 21, 2023.

Follow me on Twitter: @securityaffairs Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)