Critical Zero-Day Vulnerability in Ivanti Endpoint Manager Exploited to Attack Norwegian Government

A critical zero-day vulnerability in Ivanti Endpoint Manager Mobile (EPMM) was used in the recent attacks on Norwegian government institutions. Ivanti is a US-based enterprise software company providing among others the widely used mobile management Endpoint Manager Mobile (EPMM), which was previously known as MobileIron Core.

The vulnerability is tracked as CVE-2023-35078 (CVSS3 score 10 - maximum possible) is an unauthenticated API access problem. Attackers with access to specific API paths can obtain sensitive information such as names, phone numbers, and other mobile device details. Moreover, the vulnerability allows them to make configuration changes, including creating an admin account with the power to modify the targeted system.

A patch was promptly released, and organizations were strongly advised to install it immediately to mitigate potential risks. With numerous internet-exposed systems, particularly in the United States and Europe, the potential for further attacks is a major concern.

Ivanti faces criticism for its decision not to publicly disclose the advisory, as it was initially hidden behind a paywall. However, after recognizing the seriousness of the situation, the company made the information accessible to all, aiming to raise awareness and encourage prompt action among its users.

Update - Ivanti has disclosed a new security flaw affecting their product Endpoint Manager Mobile (EPMM). This vulnerability, identified as CVE-2023-35081 (CVSS score: 7.8), has been exploited by malicious actors in real-world attacks. It's a directory traversal vulnerability that allows an authenticated administrator to perform arbitrary file writes to the EPMM server. This vulnerability can be combined with CVE-2023-35078 enabling attackers to bypass administrator authentication and access control list (ACL) restrictions.

The impacted versions include 11.10, 11.9, and 11.8, as well as versions that have reached end-of-life (EoL).

Further analysis has revealed the presence of a WAR file called "mi.war" on Ivanti Sentry, which has been described as a malicious Tomcat application that deletes log entries based on a specific string – "Firefox/107.0" – contained in a text file.
"The APT actors used Linux and Windows user agents with Firefox/107.0 to communicate with EPMM," the agencies said. "Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices."