Another actively exploited zero-day vulnerability (CVE-2023-35081) affecting Ivanti Endpoint Manager Mobile (EPMM) has been identified and fixed.
The first zero-day spotted
Last week, we reported on a remote unauthenticated API access vulnerability (CVE-2023-35078) affecting Ivanti EPMM having been exploited to target Norwegian ministries.
The company stated that the vulnerability has impacted a limited number of customers and has released a patch, but did not share any other details or indicators of compromise with the public.
But the infosec community quickly ferreted out the vulnerable API endpoint, the nature of the vulnerability, how it can be exploited, and how organizations can check whether the vulnerability has been exploited in their systems.
About CVE-2023-35081
CVE-2023-35081, discovered with the help of Mnemonic researchers, is a remote arbitrary file write vulnerability that could allow a threat actor to remotely create, modify, or delete files in the Ivanti EPMM server.
“This vulnerability can be used in conjunction with CVE-2023-35078, bypassing administrator authentication and ACLs restrictions (if applicable),” the company explained.
“Successful exploitation can be used to write malicious files to the appliance, ultimately allowing a malicious actor to execute OS commands on the appliance as the tomcat user.”
CVE-2023-35081 also impacts all supported EPMM versions (11.10, 11.9 and 11.8) and older releases. A patch has been made available and customers are urged to update as soon as possible, warning that “the chaining of these two vulnerabilities is what poses the greatest risk”.
The impact
CVE-2023-35078 and CVE-2023-35081 have been used together in the attacks. CVE-2023-35078 – an authentication bypass flaw – reduces the complexity of executing
CVE-2023-35081 – which enables attackers (now acting as an authenticated administrator) to perform arbitrary file writes to the EPMM server.
“As of now we are only aware of the same limited number of customers impacted by CVE-2023-35078 as being impacted by CVE-2023-35081,” Ivanti noted.
The company has still not shared indicators of compromise publicly because “the situation is still evolving”. They are telling customers to get in touch with Ivanti Support for guidance if they suspect that they may have been breached.
Ivanti has also stressed that, as far as they can currently tell, this vulnerability was not introduced into their code development process maliciously. Also, that Ivanti itself hasn’t been breached via these vulnerabilities.