A zero-day authentication bypass vulnerability has been discovered in Ivanti Endpoint Manager Mobile (EPMM). CVE-2023-35078 has been given critical severity ratings with a CVSS score of 10. Successful exploitation of the vulnerability may allow unauthorized users to access restricted functionality or resources of the application.
CISA has added a publicly exploited CVE-2023-35078 to its Known Exploited Vulnerabilities Catalog urging users to apply the patch before August 15.
Ivanti Endpoint Manager Mobile (EPMM) manages and secures mobile devices. The tool simplifies inventory, configuration, and management of mobile devices. In addition, it helps in creating profiles and enforcing restrictions and security policies.
Vulnerability Description
An unauthorized, remote (internet-facing) attacker could obtain users’ personally identifiable information and make restricted server changes by exploiting the vulnerability.
The advisory states, “We are only aware of a minimal number of impacted customers.” There is no public proof-of-concept available for the vulnerability.
The Department’s Security and Service Organization (DSS) was the target of a data attack using this zero-day vulnerability. The National Security Authority and the DSS announced this at a press conference on Monday, July 24, 2023.
Affected Versions
This vulnerability impacts Ivanti EPMM versions 11.8, 11.9, and 11.10. Older versions or releases are also at risk.
Mitigation
Customers must upgrade to the following versions to patch the vulnerability:
- 11.10.0.2
- 11.9.1.1
- 11.8.1.1
Please refer to the Ivanti Security Updates for more information.
Qualys Detection
Qualys customers can scan their devices with QID 730860 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://nsm.no/aktuelt/nulldagssarbarhet-i-ivanti-endpoint-manager-mobileiron-core
https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US