Rampant Exploitation: Ivanti EPMM Flaw Magnified by Newly Disclosed Vulnerability

Vulnerabilities Exploitation of Ivanti EPMM Flaw Picking Up as New Vulnerability Is Disclosed

August 4, 2023

Introduction

The exploitation of the recently disclosed Ivanti Endpoint Manager Mobile (EPMM) vulnerability, known as CVE-2023-35078, is escalating as a new critical vulnerability, tracked as CVE-2023-35082, is disclosed. The CVE-2023-35078 flaw allows an unauthenticated attacker to obtain sensitive information and make changes to the targeted system. It has been exploited in attacks aimed at the Norwegian government since at least April 2023. Initially, the flaw was only exploited in targeted attacks, but threat intelligence firm GreyNoise has observed exploitation attempts from dozens of unique IP addresses starting on July 31. In total, attacks have been detected from 75 IPs. Additionally, the ShadowServer Foundation reports that there are still approximately 700 internet-exposed instances of the mobile management software that are vulnerable to attacks.

Exploitation Details

In the attacks exploiting CVE-2023-35078, threat actors have also taken advantage of a different EPMM security vulnerability, known as CVE-2023-35081, to upload webshells on the targeted devices and run commands. This week, Ivanti informed its customers about a third new vulnerability, CVE-2023-35082, which allows an unauthenticated, remote attacker to access users’ personally identifiable information and make limited changes to the server. According to Rapid7, the cybersecurity firm that discovered this critical flaw, CVE-2023-35082 bypasses the fix for the previously exploited CVE-2023-35078 flaw. This means that CVE-2023-35081 and CVE-2023-35082 can be chained together to allow an attacker to write malicious webshell files to the appliance, which can then be executed by the attacker.

It is important to note that CVE-2023-35082 can only be exploited against unsupported versions of MobileIron Core, specifically versions 11.2 and below. MobileIron Core was the previous name for EPMM. Ivanti has stated that the vulnerability was incidentally resolved in MobileIron Core 11.3 as part of work on a product bug and had not previously been identified as a vulnerability.

Concerns by Cybersecurity Agencies

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) have expressed concerns about the potential for widespread exploitation of these vulnerabilities against government and private sector organizations.

Editorial Analysis

This recent disclosure of vulnerabilities in Ivanti’s EPMM software demonstrates the importance of continuously monitoring and patching software vulnerabilities. The exploitation of these flaws can have serious consequences, as evidenced by the attacks on the Norwegian government. It is crucial for organizations to promptly apply patches and updates provided by software vendors to mitigate these vulnerabilities and reduce the risk of exploitation.

This incident also highlights the importance of proactive threat intelligence and monitoring. Threat intelligence firm GreyNoise was able to detect exploitation attempts from multiple unique IP addresses, indicating a potential escalation in attacks. Organizations should invest in threat intelligence services and tools that can provide real-time alerts and insights into emerging threats and exploits.

Furthermore, the discovery of the third vulnerability, CVE-2023-35082, which bypasses the fix for CVE-2023-35078, serves as a reminder that fixing one vulnerability does not necessarily mean that all related vulnerabilities have been addressed. This emphasizes the need for comprehensive vulnerability management practices, where vulnerabilities are thoroughly assessed and patched to ensure that all related risks are mitigated.

Organizations should also prioritize regular security assessments and penetration testing to identify and address vulnerabilities before they can be exploited by threat actors. By proactively identifying and remediating vulnerabilities, organizations can significantly reduce their attack surface and bolster their cybersecurity defenses.

Internet Security Considerations

In light of these vulnerabilities, it is essential for organizations using Ivanti EPMM or MobileIron Core to promptly update their software to the latest, supported versions. The vulnerabilities being exploited, CVE-2023-35078, CVE-2023-35081, and CVE-2023-35082, have the potential to expose sensitive information, allow unauthorized access, and compromise server integrity.

Additionally, organizations should ensure that they have strong authentication mechanisms in place, such as multi-factor authentication, to prevent unauthorized access to their systems. It is also crucial to regularly monitor network traffic for any suspicious activity and to implement intrusion detection and prevention systems to detect and mitigate potential attacks.

Conclusion

The exploitation of vulnerabilities in Ivanti EPMM software serves as a stark reminder of the ongoing threats faced by organizations in the digital age. Software vulnerabilities can be exploited by threat actors to gain unauthorized access, steal sensitive information, and compromise system integrity. It is imperative for organizations to implement robust vulnerability management practices, including prompt patching and updating of software, proactive threat intelligence, regular security assessments, and strong authentication mechanisms. By prioritizing security and taking proactive measures, organizations can mitigate the risk of exploitation and enhance their overall cybersecurity posture.