Two critical vulnerabilities were discovered last week, affecting Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. EPMM is a Mobile Device Management (MDM) and Unified Endpoint Management (UEM) solution offered by Ivanti to help organizations manage and secure mobile devices, such as smartphones and tablets, as well as other endpoints like computers and servers, from a centralized platform.
What Is the Case?
CVE-2023-35078 vulnerability allows remote attackers to obtain Personally Identifiable Information (PII), add an administrative account, and change the configuration due to an authentication bypass, and is believed to have been exploited as a zero-day vulnerability, from at least April 2023 through July 2023 to obtain information from several Norwegian organizations and gain access to and compromise a Norwegian government agency’s network. Zero-day vulnerability refers to vulnerabilities that are unknown even to the software vendor. Until mitigated, these can be exploited by hackers to perpetrate malicious attacks, commonly referred to as zero-day exploits or zero-day attacks.
According to Ivanti, CVE-2023-35078 can be chained with a second vulnerability CVE-2023-35081, a directory traversal vulnerability, to gain initial privileged access to EPMM systems and execute uploaded files, such as web shells, a type of malicious script or software providing attackers with a backdoor access to the server, allowing them to execute arbitrary commands, upload and download files, manipulate data, and perform various actions on the compromised system.
Cybersecurity and Infrastructure Security Agency (CISA) and Norwegian National Cyber Security Centre (NCSC-NO) released a joint Cybersecurity Advisory (CSA) in response to the active exploitation of the vulnerabilities by Advanced Persistent Threat (APT) actors, which refers to highly skilled and organized cybercriminals or hacking groups that conduct sustained and sophisticated cyberattacks against specific targets which are meticulously planned and executed with the intention of gaining long-term, covert access to a target’s network or systems.
What Products Are Impacted?
Both vulnerabilities impact all supported versions of Ivanti EPMM, including 11.8, 11.9 and 11.10; older versions are also considered to be at risk. Ivanti released corresponding patches on July 23 for CVE-2023-35078 and on July 28 for CVE-2023-35081.
How to Protect Your Organization
It is critical that customers take immediate action to ensure their environment remains protected.
Update Your Ivanti Environment
- Identify all the Ivanti EPMM instances running locally in your environment.
- Upgrade EPMM instances with patch releases:
a. For supported EPMM releases, upgrade them with the corresponding patch releases (22.214.171.124, 126.96.36.199,188.8.131.52).
b. For older, unsupported EPMM releases, Ivanti highly recommends upgrading to the latest version of EPMM to ensure they have the latest security and stability fixes.
Monitor Your Ivanti Environment
While the earlier task might be performed in a timely manner for smaller environments, with only a couple or even a single EPMM instance running and a limited number of active users, it might realistically take longer for larger organizations, with more instances, complex network infrastructure, dozens of thousands of active users and specific validation procedure, requiring proper change management processes to be followed.
In these cases, CISA highly recommends investigating log files from a centralized logging solution or forwarded Syslog from all EPMM devices, looking for specific entries that might indicate a potential attack or attempt. If detected, organizations should quarantine or take offline the potentially affected hosts, provision new account credentials, and collect and review artifacts such as running processes/services, unusual authentications, and recent network connections, then report it to CISA.
What To Do Next
Improve your security posture by implementing a management and monitoring solution like ISEC7 Sphere to monitor your whole mobile infrastructure, including back-end messaging servers, EMM/UEM solutions, IoT devices and all employees’ endpoints, from desktop computers to mobile devices.
Common Vulnerability and Exploit (CVE) Monitoring
ISEC7 Sphere collects Common Vulnerability and Exploit (CVE) for monitored systems from the National Vulnerability Database (NVD), a public vulnerability repository maintained by the Cybersecurity & Infrastructure Security Agency (CISA), that provides information about known vulnerabilities. ISEC7 Sphere displays them under the affected system and can consider that information to calculate the server status. Administrators can easily click on said CVEs to review them, then acknowledge them once installed on the corresponding systems.
Syslog is a standard protocol used for sending log messages within a network, and monitoring syslog data can help identify and analyze security events, system issues, and other important information.
ISEC7 Sphere can receive and monitor Syslog data from any supporting servers, including Ivanti EPMM and Sentry servers, and can be configured, using regular expressions (regex), to search for and extract specific patterns or information from any log file entries, including Syslog data sent from Ivanti EPMM and Sentry instances. This is particularly usefully in this scenario, where multiple log entries need to be looked for in a large amount of log data received from multiple servers, including Ivanti EPMM and Sentry, as well as back-end Microsoft Active Directory (AD) and Exchange servers.
Maintaining up-to-date software is a critical part of cybersecurity as it fixes bugs and vulnerabilities that attackers will exploit to gain access to information systems. Continuously monitoring your environment for vulnerabilities and anomalies in activity, such as with log patterns, is an excellent way to ensure you identify security threats. No matter the size or how widely deployed your ecosystem is, understanding your business and the operational needs of your cybersecurity solution is paramount in providing the right solution to address your specific vulnerabilities. The team of experts at ISEC7 can not only help you update your Ivanti environment, but also provide an objective assessment of your organization’s infrastructure and the risk mitigation needed to enhance your current solution. Additionally, ISEC7 can provide a demo of ISEC7 Sphere and show you how to monitor your entire mobile infrastructure, find and address vulnerabilities, and ultimately secure your environment through this one essential solution. Contact ISEC7 today to secure your infrastructure and bolster your security posture.
(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group