A serious issue that has been fixed and affects Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core was added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its list of known exploited vulnerabilities (KEV) on Thursday. The agency stated that the flaw is being actively exploited in the field.
As a patch for another vulnerability in the same solution, tracked as CVE-2023-35078 (CVSS score: 10.0), which was actively exploited in attacks targeted at Norwegian government entities as a zero-day in April 2023, the vulnerability in question is CVE-2023-35082 (CVSS score: 9.8).
“If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server,” Ivanti wrote in August 2023.
The issue affects Ivanti Endpoint Manager Mobile (EPMM) versions 11.10, 11.9, and 11.8 as well as MobileIron Core versions 11.7 and below.
The vulnerability can be chained with CVE-2023-35081 to allow an attacker to write malicious web shell files to the appliance, according to cybersecurity firm Rapid7, which found and disclosed the problem.
As of right now, no information is available regarding how the vulnerability is being used as a weapon in actual attacks. It is advised that federal agencies implement vendor-provided updates by February 8, 2024.
The business plans to deliver patches next week. The disclosure coincides with the widespread exploitation of two other zero-day vulnerabilities in Ivanti Connect Secure (ICS) virtual private network (VPN) devices (CVE-2023-46805 and CVE-2024-21887), which allow for the installation of web shells and passive backdoors.
“We have observed the threat actor target the configuration and running cache of the system, which contains secrets important to the operation of the VPN,” Ivanti stated in a security statement.
“While we haven’t observed this in every instance, out of an abundance of caution, Ivanti is recommending you rotate these secrets after rebuild.”
This week, Volexity disclosed that it has discovered proof of compromise on more than 2,100 devices across the globe. Even though the first instance of exploitation was connected to UTA0178, a suspected Chinese threat actor, many threat actors have since jumped on the exploitation bandwagon.
Government, defense contractors, telecoms, technology, banking, consulting, aerospace, aviation, and engineering firms in the United States, Germany, the United Kingdom, France, Spain, China, India, Australia, Russia, and Brazil have all been the target of the intrusions.
The cybersecurity company also reported that in an effort to avoid detection, UTA0178, the suspected Chinese threat actor responsible for the first wave of attacks in December 2023, altered the Integrity Checker Tool that was built-in.
Security researchers Matthew Meltzer, Sean Koessel, and Steven Adair stated, “Analysis of this file uncovered evidence that it had been modified so the system’s built-in Integrity Checker Tool would always indicate no findings, even if new or mismatched files were actually detected.”
To guard against a device being compromised again, it is advised that businesses implement the mitigation offered by Ivanti after importing any backup configurations.
An extra endpoint (“/api/v1/totp/user-backup-code”) has been discovered through extensive reverse engineering of the twin weaknesses by Assetnote. This allows the authentication bypass flaw (CVE-2023-46805) to be exploited on older versions of ICS and acquire a reverse shell.
