Ivanti MDM users told to patch against two dangerous flaws

Users of Ivanti’s Endpoint Manager Mobile (EPMM) mobile device management (MDM) platform have been warned to act now to patch two vulnerabilities – one of them a zero-day – that have been chained by a threat actor in a series of cyber attacks on the Norwegian government.

The attack on government bodies in Norway unfolded over a period of several months, but was first uncovered on 12 July 2023 and disclosed on 24 July. A total of 12 agencies were affected, and staffers were left unable to access a number of shared services via their mobile devices, such as email.

According to the US Cybersecurity and Infrastructure Security Agency (CISA) and its Norwegian counterpart, NCSC-NO, the zero-day vulnerability, CVE-2023-35078, was used between April and July to gather information from several organisations in Norway, prior to being patched by Ivanti on 23 July.

However, they said, following this, Ivanti was able to determine the threat actor could use this zero-day alongside another vulnerability, CVE-2023-35081, to achieve a deeper impact.

CVE-2023-35078 is an authentication bypass vulnerability that enables a threat actor to access personally-identifiable information (PII) and make configuration changes on compromised systems via Ivanti EPMM – which was previously known as MobileIron Core).

When CVE-2023-35081, a directory traversal vulnerability, is added to the mix, a threat actor with EPMM management privileges gains the ability to write arbitrary files – that is to say, to deploy web shells.

“MDM systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability. Consequently, CISA and NCSC-NO are concerned about the potential for widespread exploitation in government and private sector networks,” the organisations said in a joint advisory notice.

CISA and NCSC-NO said that MDM systems should in any case be treated as highly valuable assets and therefore subjected to additional restrictions and monitoring, given they provide access to thousands of potential hosts.

Both vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities catalogue, which obliges American federal bodies to patch them within the next few weeks.

Ivanti said it was currently aware of only a limited number of customers that have seen exploitation of the two vulnerabilities in question, but said that the chaining of the two clearly posed the greatest risk.

Computer Weekly understands that its investigation has found no evidence that it has been compromised itself, or that the vulnerabilities were introduced into its code maliciously.

According to Palo Alto Networks’ Unit 42, there are approximately 5,500 Ivanti EPMM servers exposed to the public internet, with Germany and the US the most exposed countries, with more than 1,000 instances observed. Approximately 6.5% of the total, about 358 servers, appear to be located in the UK.

The Uni 42 team said that although the Norwegian government is the only currently known victim of the exploit chain, others will likely have been affected.

No details of the threat group observed exploiting the two vulnerabilities – or any potential nation-state affiliation – have been disclosed.