Ivanti Patches another Zero-Day Exploited in Norwegian Government Attacks – Active Exploitation Observed

Ivanti has patched another critical vulnerability in its Endpoint Manager Mobile software (formerly MobileIron Core), which was exploited as a zero-day to breach the IT systems of several ministries in Norway. The path traversal flaw, tracked as CVE-2023-35081, enables an authenticated administrator to perform arbitrary file writes to the EPMM server. This vulnerability can be used in conjunction with CVE-2023-35078, bypassing administrator authentication and ACLs. (CISA).

Successful exploitation can be used to write malicious files to the appliance, ultimately allowing a malicious actor to execute OS commands on the appliance as the tomcat user. As of now, Ivanti is only aware of the same limited number of customers impacted by CVE-2023-35078 as being impacted by CVE-2023-35081.

The Norwegian National Security Authority (NSM) confirmed that the CVE-2023-35078 EPMM vulnerability was abused to breach a software platform used by the country’s government agencies. However, the Norwegian Security and Service Organization (DSS) stated that the cyberattack did not affect Norway’s Prime Minister’s Office, the Ministry of Defense, the Ministry of Justice, and the Ministry of Foreign Affairs.

Earlier Vulnerability

Earlier, Ivanti addressed a critical zero-day authentication bypass vulnerability in its Endpoint Manager Mobile (EPMM), designated as CVE-2023-35078. This vulnerability allows unauthenticated remote access to specific API paths, posing a significant threat to the security of user data. An attacker exploiting this vulnerability can access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system. Furthermore, the attacker can make configuration changes, including the creation of an EPMM administrative account, which can lead to further system compromise.

Indicators of Compromise (IOCs) and Detection Methods

Currently, there are no specific IOCs available for CVE-2023-35078. However, you can check your logs to determine if the API v2 endpoint in Ivanti EPMM has been targeted. The API v2 can be accessed without authentication by altering the URI path.

For CVE-2023-35081, Ivanti has identified and released patches for a directory traversal vulnerability. This vulnerability allows an attacker with EPMM administrator privileges to write arbitrary files with the operating system privileges of the EPMM web application server. The attacker could then execute the uploaded file, for example, a web shell. To gain EPMM administrator privileges, the attacker could exploit CVE-2023-35078 on an unpatched system. Ivanti reports active exploitation of both CVE-2023-35081 and CVE-2023-35078.

CISA urges users and organizations to patch both CVE-2023-35081 and CVE-2023-35078. Patches for CVE-2023-35081 also include patches for CVE-2023-35078.

Further Reading