There are three vulnerabilities impacting Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core: CVE-2023-35078 and CVE-2023-35082, which both enable authenticated bypass for unauthorized access; and CVE-2023-35081, which allows directory traversal with privilege escalation and arbitrary file write. These Ivanti EPMM vulnerabilities have been observed in active cyber attacks on systems using the affected versions.
Threat actors can use vulnerability chaining to combine attacks through all three vulnerabilities to achieve privileged access to EPMM systems. The following Ivanti products are impacted:
- Ivanti Endpoint Manager Mobile 11.10
- Ivanti Endpoint Manager Mobile 11.9
- Ivanti Endpoint Manager Mobile 11.8
- MobileIron Core version 11.7 and below
Additionally, Ivanti Sentry is impacted by CVE-2023-38035, an authentication bypass vulnerability.
This article will clarify how these vulnerabilities impact your use of Ivanti EPMM or MobileIron Core, as well as how to identify and mitigate potential risk.
What are CVE-2023-35078, CVE-2023-35081, and CVE-2023-35082?
Ivanti EPMM is a mobile device management (MDM) tool often used to set IT policies for mobile services. With an endpoint management software, you can use one interface to manage devices and applications. Because MDM and other endpoint management tools provide access to a variety of devices, privileges should be limited to only those necessary team members.
CVE-2023-35078 and CVE-2023-35082 are critical, zero-day vulnerabilities that permit access exploitations. Both are authentication bypass vulnerabilities wherein an unauthorized remote threat actor can access the system, navigate various API paths, gather personally identifiable information (PII) for users, and make configuration changes to the server, such as deploying webshells to compromise servers, pushing new packages to mobile endpoints, and creating new administrative accounts.
CVE-2023-35081 is a path traversal vulnerability where an authenticated administrator can write new files to the EPMM server. If malicious attackers chain CVE-2023-35081 with either of the authentication bypass vulnerabilities, then they have privilege escalation for the web server without proper authentication and can perform malicious activities with admin privileges.
CVE-2023-38035 is an authentication bypass vulnerability impacting Ivanti/MobileIron Sentry in the administrator interface, though it does not impact Ivanti EPMM. Per their knowledge base article, Ivanti shared that this vulnerability can be exploiting after the EPMM vulnerabilities are exploited. Ivanti has provided an RPM script to apply to the product.
Current Impact of Ivanti EPMM/MobileIron CVEs
All three of these vulnerabilities have the potential for great harm to your system. CVE-2023-35078 has a critical CVSS score: 10.0 per the CVE Numbering Authority (CNA) and 9.8 per the National Vulnerability Database (NVD). CVE-2023-35082 is not yet scored but will likely carry a similar score to CVE-2023-35078. While CVE-2023-35081 is still undergoing analysis, the CNA has provided a high CVSS score of 7.2.
Both CVE-2023-35078 and CVE-2023-35081 are known exploited vulnerabilities (KEVs) that have been added to CISA's Known Exploited Vulnerabilities Catalog, and active exploitation of a vulnerable system has been observed for each of these CVEs. The Norwegian National Security Authority (NSM) confirmed that multiple Norwegian government agencies were targeted in attacks exploiting the authentication bypass (CVE-2023-35078).
Your system is impacted by these vulnerabilities if you are using one of these affected versions:
- Ivanti Endpoint Manager Mobile 11.10
- Ivanti Endpoint Manager Mobile 11.9
- Ivanti Endpoint Manager Mobile 11.8
- MobileIron Core version 11.7 and below
How UpGuard Can Help
Continuous monitoring of your external attack surface can help you take proactive measures against any potential known and unknown vulnerabilities, including the CVEs affecting Ivanti EPMM and MobileIron Core. UpGuard's non-intrusive scanning detects when the affected Ivanti products are in use among your internet-facing assets, and you will be notified with specific findings for each CVE.
If you or a vendor are using Ivanti EPMM or MobileIron Core, you should determine whether it has been updated to a secure version. You can send a remediation request within UpGuard, which will enable the technology owner to assert the current version of the product.
Learn more about UpGuard's continuous monitoring feature in UpGuard Breachsight >
How to Mitigate the Ivanti EPMM/MobileIron Vulnerabilities
If you are currently using Ivanti Endpoint Manager Mobile versions 11.10, 11.9 and 11.8, you should immediately upgrade your version and apply the RPM script supplied by Ivanti. You can use the system manager portal to upgrade with patch releases (11.10.0.3, 11.9.1.2, and 11.8.1.2).
If you are using MobileIron Core 11.7 and below, you should immediately discontinue use and migrate to Endpoint Manager Mobile, as Ivanti is not likely to release a security patch for MobileIron Core.
"MobileIron Core 11.2 has been out of support since March 15, 2022. Therefore, Ivanti will not be issuing an RPM script or any other remediations to address this vulnerability in 11.2 or earlier versions. Upgrading to the latest version of Ivanti Endpoint Manager Mobile (EPMM) is the best way to protect your environment from threats," Ivanti stated in the patch release.
If your systems have been impacted by malicious actors, you should work with your security team on an immediate incident response plan that includes quarantining compromised systems and following recommended security practices. If your system uses any of the impacted versions but has not been exploited by threat actors, you should also follow the mitigation recommendations.
Run Ivanti's RPM script with a security update for CVE-2023-35082
In their security advisory, Ivanti states that this script was tested on EPMM 11.7 and can be installed on versions 11.3 and higher. Ensure that your system is moved off the impacted versions immediately and migrated to a supported release so that you can run the script.
Access your server as an administrative user so that you can run two RPM scripts. RPM is an open-source package manager. The first script will clean up older RPM downloads:
[.rt-script]install rpm url https://support.mobileiron.com/ivanti-updates/ivanti-cli-cleanup-1.0.0-1.noarch.rpm[.rt-script]
This script was initially released to mitigate the impacts of CVE-2023-35078.
Then apply the script from Ivanti with a security update for CVE-2023-35082:
[.rt-script]install rpm url https://support.mobileiron.com/ivanti-updates/ivanti-security-update-3.0.0-3.noarch.rpm[.rt-script]
Once the security update has run, follow the terminal commands to reload the system.
Run Ivanti's RPM script with a security update for CVE-2023-35078
If you are unable to migrate to EPMM version 11.8 or higher, you can run the first RPM script to mitigate the impacts of CVE-2023-35078. Ivanti's security advisory indicates that this script will not persist after an upgrade, so it is recommended to upgrade to a supported version (11.8 or higher) so that this update will persist.
Run the RPM script geared toward CVE-2023-35078:
[.rt-script]install rpm url https://support.mobileiron.com/ivanti-updates/ivanti-security-update-1.0.0-1.noarch.rpm[.rt-script]
Once the security update has run, follow the terminal commands to reload the system. For more information on the scripts, you can refer to Ivanti's Knowledge Base article.
How to Identify Compromised Systems
If your system was using an impacted version, you should evaluate potential threat activity and validate your security controls while making the necessary updates.
You can use the process provided in CISA Alert AA23-213A to assess your system through two nuclei templates geared toward CVE-2023-35078 and CVE-2023-35081.
The Norwegian National Cyber Security Centre (NCSC-NO), who released the joint advisory with CISA, provided a series of checks you can run to evaluate potential compromise:
- Search for [.rt-script]/mifs/aad/api/v2/[.rt-script] and [.rt-script]mifs/asfV3/api/v2/[.rt-script] in your centralized logs or forwarded syslogs. The first string identifies a targeted API endpoint resulting from CVE-2023-35078, and the second string identifies a targeting endpoint related to CVE-2023-35082.
- Review activity in your ActiveDirectory for increases of [.rt-script]EventCode=1644[.rt-script], as well as [.rt-script]4662[.rt-script], [.rt-script]5136[.rt-script], and [.rt-script]1153[.rt-script].
- Review any traffic from EPMM devices to internal servers and any TLS traffic toward EPMM servers with TLS certificates unrelated to the EPMM instance.
- Review disk and memory retention, as well as unallocated disk space, in case log entries were deleted.
- Assess activity from ASUS routers to EPMM and Sentry devices.
- Cross-reference the NCSC-NO's documentation of hashes and user agents from known threat activity for indicators of compromise against your own system.
