Ivanti has released security patches to address a path traversal flaw, identified as CVE-2023-35081, in its Endpoint Manager Mobile software, previously named MobileIron Core. This vulnerability was used as a zero-day to infiltrate the IT systems of several Norwegian ministries. The company has strongly recommended its customers to promptly update their systems to shield against potential attacks.
The flaw, according to Ivanti, allows an authenticated administrator to perform arbitrary file writes to the Endpoint Manager Mobile server. This vulnerability could be exploited in combination with another flaw, CVE-2023-35078, to bypass administrator authentication and ACLs restrictions. Successful exploitation could lead to the writing of malicious files to the appliance, ultimately enabling a malicious actor to execute OS commands on the appliance as the tomcat user. As of now, Ivanti is only aware of a limited number of customers impacted by both CVE-2023-35078 and CVE-2023-35081.
The CVE-2023-35078 vulnerability was also exploited in the same attacks on Norwegian government entities as a zero-day, aiming to steal personally identifiable information (PII), including names, phone numbers, and other mobile device details. This flaw also enables threat actors to create Endpoint Manager Mobile administrative accounts, which can be used to make further changes to unpatched appliances.
As per a report by Shodan, over 2,600 MobileIron user portals are currently accessible on the internet, with approximately three dozen of them associated with U.S. local and state government agencies. In light of this, admin and security teams are advised to immediately upgrade their Ivanti Endpoint Manager Mobile installations to the latest version to protect them from potential threats.
The Norwegian National Security Authority confirmed on Tuesday that the CVE-2023-35078 vulnerability was exploited to infiltrate a software platform used by the country's government agencies. However, the Norwegian Security and Service Organization stated that the cyberattack did not impact the Prime Minister's Office, the Ministry of Defense, the Ministry of Justice, and the Ministry of Foreign Affairs. The Norwegian Data Protection Authority has also been notified about the incident, raising concerns that the hackers may have accessed and/or exfiltrated sensitive data from the compromised government systems.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered U.S. Federal Civilian Executive Branch Agencies to patch their systems against CVE-2023-35078 by August 15th and is expected to issue a similar directive for CVE-2023-35081 soon. CISA has warned that such vulnerabilities are common attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.