www.belgium.be Logo of the federal government

Warning: Another critical vulnerability has been discovered in Ivanti EPMM / Mobile Iron, affecting all versions

Référence: 
Advisory #2023-97
Version: 
1.0
Logiciels concernés : 
Ivanti Endpoint Manager Mobile (EPMM): v11.10, v11.9, v11.8
Ivanti MobileIron Core (Unsupported versions) <= v11.7
Type: 
Unauthenticated API Access Vulnerability
CVE/CVSS: 

CVE-2023-35082: CVSS 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Date: 
10/08/2023

Sources

https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older?language=en_US

https://forums.ivanti.com/s/article/KB-Remote-Unauthenticated-API-Access-Vulnerability-CVE-2023-35082?language=en_US

Risques

If exploited, this vulnerability enables an unauthorized, remote actor to perform a multitude of operations as outlined in the official API documents, including the ability to disclose personally identifiable information (PII) and perform modifications to the platform. When this vulnerability is chained with another vulnerability, e.g. CVE-2023-35081, an attacker could be able to deploy a web shell on the targeted server.

This vulnerability impacts ALL vertices of the CIA triad.

Description

This authentication bypass vulnerability was discovered by Rapid7 researchers when investigating CVE-2023-35078, another authentication bypass vulnerability in Ivanti EPMM. (See our advisory of 25/07/2023)

CVE-2023-35082 was first reported to be only affecting MobileIron Core version 11.2 and prior, but further investigation revealed that this vulnerability impacts all versions of Ivanti Endpoint Manager Mobile (EPMM) 11.10, 11.9 and 11.8, and MobileIron Core 11.7 and below.

Ivanti provided a RPM script that only addresses CVE-2023-35082 and does not address prior vulnerabilities. Ivanti recommends moving to a patched, supported release (EPMM v11.8.1.2, v11.9.1.2 & v11.10.0.3) first before applying the RPM script. When available, version 11.11 will address all known vulnerabilities.

Actions recommandées

The Centre for Cybersecurity Belgium strongly recommends Windows system administrators to take the following actions:

Ivanti highly recommends to upgrade to a supported version of Ivanti Endpoint Manager Mobile (v11.8.1.2, v11.9.1.2 & v11.10.0.3) before running the RPM Script to address CVE-2023-35082.

Some remarks about the script by Ivanti:

  • The RPM script was tested on EPMM 11.7 and determined to be effective. 
  • Ivanti has not explicitly tested other unsupported versions, but the RPM script can be installed on versions 11.3 and above. 
  • The RPM script will not be effective on versions prior to 11.3 and may cause the appliance to become unstable. 
  • The RPM script should be run on all servers, primary, secondary and tertiary.

Références

https://www.rapid7.com/blog/post/2023/08/02/cve-2023-35082-mobileiron-core-unauthenticated-api-access-vulnerability/