Executive Summary

CVE-2023-35078 is a critical authentication bypass vulnerability in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This vulnerability allows unauthorized users to access restricted functionality or resources of the application without proper authentication. With a CVSS v3.1 base score of 9.8, this vulnerability is of critical severity and has been actively exploited in the wild. The sectors and countries targeted by this vulnerability include government agencies, healthcare institutions, and financial services across North America and Europe. Immediate action is required to mitigate the risks associated with this vulnerability.

Technical Information

CVE-2023-35078 is an authentication bypass vulnerability in Ivanti EPMM. The vulnerability exists due to improper authentication mechanisms in the software, allowing an unauthenticated, remote attacker to exploit it by sending crafted requests to the affected API endpoints. This results in unauthorized access to sensitive functionalities and data.

The vulnerability has a CVSS v3.1 base score of 9.8, indicating its critical severity. The vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which means it can be exploited over the network, requires low attack complexity, does not require privileges or user interaction, and has a high impact on confidentiality, integrity, and availability.

Affected versions include Ivanti EPMM versions up to and including 11.10, specifically versions 11.10, 11.9, and 11.8. Older versions/releases are also at risk.

Exploitation in the Wild

This vulnerability has been actively exploited in the wild. In July 2023, attackers leveraged this vulnerability to obtain personally identifiable information (PII), add administrative accounts, and change configurations on affected systems. The exploitation has been observed in various sectors, including government agencies, healthcare institutions, and financial services across North America and Europe.

Indicators of Compromise (IOCs) include unusual administrative account creation, unauthorized configuration changes, and access to sensitive data without proper authentication.

Sources of exploitation include: - NVD: CVE-2023-35078 Detail - NVD (https://nvd.nist.gov/vuln/detail/CVE-2023-35078) - CISA: Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) - Ivanti Forums: KB Remote Unauthenticated API Access Vulnerability CVE-2023-35078 (https://forums.ivanti.com/s/article/KB-Remote-unauthenticated-API-access-vulnerability-CVE-2023-35078) - GitHub PoCs: - LazyySec/CVE-2023-35078 (https://github.com/LazyySec/CVE-2023-35078) - lager1/CVE-2023-35078 (https://github.com/lager1/CVE-2023-35078) - lazysec0x21/CVE-2023-35078 (https://github.com/lazysec0x21/CVE-2023-35078) - raytheon0x21/CVE-2023-35078 (https://github.com/raytheon0x21/CVE-2023-35078) - vchan-in/CVE-2023-35078-Exploit-POC (https://github.com/vchan-in/CVE-2023-35078-Exploit-POC)

APT Groups using this vulnerability

While specific APT groups exploiting this vulnerability have not been publicly identified, the nature of the vulnerability makes it a valuable target for state-sponsored actors and cybercriminal groups seeking to gain unauthorized access to sensitive systems. The sectors and countries targeted by this vulnerability include government agencies, healthcare institutions, and financial services across North America and Europe.

Affected Product Versions

The affected product versions include Ivanti EPMM versions up to and including 11.10, specifically versions 11.10, 11.9, and 11.8. Older versions/releases are also at risk.

Workaround and Mitigation

Ivanti has released patches to address this vulnerability. Users are strongly advised to apply the latest security updates provided by Ivanti to mitigate the risk associated with CVE-2023-35078. If immediate patching is not possible, consider implementing network-level restrictions to limit access to the affected API endpoints. Additionally, monitoring for unusual administrative account creation, unauthorized configuration changes, and access to sensitive data without proper authentication can help detect potential exploitation.

References

• NVD: CVE-2023-35078 Detail - NVD (https://nvd.nist.gov/vuln/detail/CVE-2023-35078)
• CISA: Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
• Ivanti Forums: KB Remote Unauthenticated API Access Vulnerability CVE-2023-35078 (https://forums.ivanti.com/s/article/KB-Remote-unauthenticated-API-access-vulnerability-CVE-2023-35078)
• GitHub PoCs:
• LazyySec/CVE-2023-35078 (https://github.com/LazyySec/CVE-2023-35078)
• lager1/CVE-2023-35078 (https://github.com/lager1/CVE-2023-35078)
• lazysec0x21/CVE-2023-35078 (https://github.com/lazysec0x21/CVE-2023-35078)
• raytheon0x21/CVE-2023-35078 (https://github.com/raytheon0x21/CVE-2023-35078)
• vchan-in/CVE-2023-35078-Exploit-POC (https://github.com/vchan-in/CVE-2023-35078-Exploit-POC)

Rescana is here for you

At Rescana, we understand the critical importance of safeguarding your digital assets. Our Continuous Threat and Exposure Management (CTEM) platform is designed to help you identify, assess, and mitigate vulnerabilities like CVE-2023-35078. We provide comprehensive threat intelligence, continuous monitoring, and expert guidance to ensure your organization's cybersecurity posture remains robust. If you have any questions about this report or any other issue, please contact us at ops@rescana.com. We are here to help you navigate the complex landscape of cybersecurity threats and protect your valuable assets.