Pierluigi Paganini August 03, 2023

Researchers discovered a bypass for a recently fixed actively exploited vulnerability in Ivanti Endpoint Manager Mobile (EPMM).

Rapid7 cybersecurity researchers have discovered a bypass for the recently patched actively exploited vulnerability in Ivanti Endpoint Manager Mobile (EPMM).

The new vulnerability, tracked as CVE-2023-35082 (CVSS score: 10.0), can be exploited by unauthenticated attackers to access the API in older unsupported versions of MobileIron Core (11.2 and below). Ivanti addressed the vulnerability with the release of the MobileIron Core 11.3 version.

“A vulnerability has been discovered in MobileIron Core which affects version 11.2 and prior. The vulnerability was incidentally resolved in MobileIron Core 11.3 as part of work on a product bug. It had not previously been identified as a vulnerability.” reads the advisory published by the Vendor.
“If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server.”

While Rapid7 researchers were investigating actively exploited vulnerability CVE-2023-35078 in Ivanti Endpoint Manager Mobile and MobileIron Core the researchers discovered the new vulnerability CVE-2023-35082.

“Since CVE-2023-35082 arises from the same place as CVE-2023-35078, specifically the permissive nature of certain entries in the mifs web application’s security filter chain, Rapid7 would consider this new vulnerability a patch bypass for CVE-2023-35078 as it pertains to version 11.2 and below of the product.” reads the advisory published by Rapid7. “For additional context on CVE-2023-35078 and its impact, see Rapid7’s emergent threat response blog here and our AttackerKB assessment of the vulnerability.”

Rapid7 reported this vulnerability to the software firm on July 26, 2023 and it is now disclosing it in accordance with its vulnerability disclosure policy.

“In our testing of CVE-2023-35078, we had access to MobileIron Core version 11.2.0.0-31. After reproducing the original vulnerability, we proceeded to apply Ivanti’s hotfix ivanti-security-update-1.0.0-1.noarch.rpm as per the Ivanti Knowledge Base article 000087042.” continues Rapid7. “We verified that the hotfix does successfully remediate CVE-2023-35078. However, we found a variation of the same attack that enables a remote attacker to access the API endpoints without authentication.”

The CVE-2023-35082 flaw is the third issue addressed by Ivanti impacting its EPMM product.

Recently cybersecurity agencies from Norway and the U.S. revealed that zero-day flaws in EPMM, tracked CVE-2023-35078 and CVE-2023-35081, were exploited by threat actors in recent attacks against the ICT platform used by twelve ministries of the Norwegian government.

At the time of this writing, there is no evidence of active exploitation of CVE-2023-35082 in attacks in the wild.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ivanti EPMM)