Warning: Another critical vulnerability has been discovered in Ivanti EPMM / Mobile Iron, affecting all versions
CVE-2023-35082: CVSS 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
If exploited, this vulnerability enables an unauthorized, remote actor to perform a multitude of operations as outlined in the official API documents, including the ability to disclose personally identifiable information (PII) and perform modifications to the platform. When this vulnerability is chained with another vulnerability, e.g. CVE-2023-35081, an attacker could be able to deploy a web shell on the targeted server.
This vulnerability impacts ALL vertices of the CIA triad.
This authentication bypass vulnerability was discovered by Rapid7 researchers when investigating CVE-2023-35078, another authentication bypass vulnerability in Ivanti EPMM. (See our advisory of 25/07/2023)
CVE-2023-35082 was first reported to be only affecting MobileIron Core version 11.2 and prior, but further investigation revealed that this vulnerability impacts all versions of Ivanti Endpoint Manager Mobile (EPMM) 11.10, 11.9 and 11.8, and MobileIron Core 11.7 and below.
Ivanti provided a RPM script that only addresses CVE-2023-35082 and does not address prior vulnerabilities. Ivanti recommends moving to a patched, supported release (EPMM v184.108.40.206, v220.127.116.11 & v18.104.22.168) first before applying the RPM script. When available, version 11.11 will address all known vulnerabilities.
The Centre for Cybersecurity Belgium strongly recommends Windows system administrators to take the following actions:
Ivanti highly recommends to upgrade to a supported version of Ivanti Endpoint Manager Mobile (v22.214.171.124, v126.96.36.199 & v188.8.131.52) before running the RPM Script to address CVE-2023-35082.
Some remarks about the script by Ivanti:
- The RPM script was tested on EPMM 11.7 and determined to be effective.
- Ivanti has not explicitly tested other unsupported versions, but the RPM script can be installed on versions 11.3 and above.
- The RPM script will not be effective on versions prior to 11.3 and may cause the appliance to become unstable.
- The RPM script should be run on all servers, primary, secondary and tertiary.