Ivanti zero-day exploited to target Norwegian government (CVE-2023-35078)

A zero-day vulnerability (CVE-2023-35078) affecting Ivanti Endpoint Manager Mobile (EPMM) has been exploited to carry out an attack that affected 12 Norwegian ministries, the Norwegian National Security Authority (NSM) has confirmed on Tuesday.

CVE-2023-35078

What is known about the attacks?

On Monday, the Norwegian government said that the attack was detected on the ICT platform used by the 12 ministries, though it did not name the platform at the time.

The ICT platform – now confirmed to be Ivanti Endpoint Manager Mobile (formerly MobileIron Core) – is used by all the Norwegian ministries except the Office of the Prime Minister, the Ministry of Defence, the Ministry of Justice and Public Security and the Ministry of Foreign Affairs.

“We have detected a previously unknown vulnerability in one of our suppliers’ software. This vulnerability has been exploited by an unknown third party. This vulnerability has now been fixed. It is still too early to say anything about who is behind the attack or the extent of the attack. Our investigations and the police investigations will provide more answers,” said Erik Hope, Director General of the Norwegian Government Security and Service Organisation (DSS).

According to Reuters, the attack was spotted on July 12 due to “unusual” traffic on the vulnerable mobile endpoint management platform.

Since the Norwegian Data Protection Authority has also been notified about the attack, it’s likely that the attackers managed to access and/or steal sensitive data from the compromised platform.

About the vulnerability (CVE-2023-35078)

CVE-2023-35078 is an authentication bypass vulnerability that allows remote unauthenticated API access to specific paths.

“An attacker with access to these API paths can access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system. An attacker can also make other configuration changes, including creating an EPMM administrative account that can make further changes to a vulnerable system,” the Cybersecurity and Infrastructure Agency (CISA) explained.

Ivanti said on Monday that they have received information from a credible source indicating exploitation has occurred. “We are only aware of a very limited number of customers that have been impacted.”

CVE-2023-35078 affects all supported versions of EPMM (v11.10, 11.9 and 11.8) and older unsupported releases. The vulnerability has been patched in versions 11.10.0.2, 11.9.1.1 and 11.8.1.1.

The flaw has a “perfect” 10.0 CVSS score. Security researcher Kevin Beaumont says that it’s very easy to exploit and recommend admins to upgrade to a fixed version as soon as possible. “If you can’t get off EOL [end-of-life versions], switch off the appliance.”

IoT search engine Shodan can find over 2,900 internet-facing EPMM user portals, mostly in the US and Europe. Shadowserver shows similar results.

Beaumont says that a vast majority of organizations haven’t patched, including UK and US government orgs. He also says that he has set up a honeypot and it’s already being probed via the API.

Vulnerability disclosure

Rumors about an “Ivanti Endpoint Manager” zero-day being exploited in the wild floated around the internet half a day before Ivanti published the post telling users about the critical updates.

No known indicators of compromise have been publicly shared to allow customers to check whether the attackers hit more that just the Norwegian government.

“This vulnerability was unique, and was discovered for the very first time here in Norway. If we had released the information about the vulnerability too early, it could have contributed to it being misused elsewhere in Norway and in the rest of the world. The update is now generally available and it is prudent to announce what kind of vulnerability it is,” Sofie Nystrøm, director of the National Security Agency, said today.

The Norwegian National Cyber Security Center has notified all known system owners (businesses) in the country who have MobileIron Core available on the internet about the released security update.

UPDATE (July 26, 2023, 07:00 a.m. ET):

CISA has added CVE-2023-35078 to its Known Exploited Vulnerabilities Catalog, which means Federal Civilian Executive Branch (FCEB) agencies have to remediate it by August 15 to protect their networks against exploitation.

Mnemonic incident responders have been called in to respond to an attack and say that it’s easy to identify if the vulnerability has been exploited in an organization’s systems.

“By reviewing your logs, you should be able to see whether the API v2 endpoint in Ivanti EPMM has been exploited. The API v2 is accessible without any authentication by changing the URI path. The API documentation describes that https://[core server]/api/v2/ is the base URL for all API calls. If you prepend the path to a vulnerable endpoint, you need no authentication to execute commands like this: https://[core server]/vulnerable/path/api/v2/,” they noted.

Kevin Beaumont – who dubbed the flaw “MobileIrony” – has also explained how the vulnerability can be exploited to do things like list user information, add administrative users, replace system configuration, change the configuration of managed mobile devices (or wipe them!), search Active Directory inside the organization, and more.

“All of this can be done with a curl request, or even using a web browser,” he says. “All you have to do is change the API path by a few characters. The API is publicly documented, the different endpoint path is all you need for exploitation.”

Don't miss