January 19, 2024 at 12:03AM
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a now-patched critical flaw in Ivanti Endpoint Manager Mobile and MobileIron Core to its Known Exploited Vulnerabilities catalog. The flaw enables unauthorized remote access and has been actively exploited, affecting several versions of the impacted software. Federal agencies are advised to apply fixes by February 8, 2024.
The meeting notes highlight a critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core, known as CVE-2023-35082, which has been actively exploited in the wild. It is an authentication bypass vulnerability with a high CVSS score of 9.8, allowing unauthorized, remote actors to potentially access users’ personally identifiable information and make limited changes to the server.
All versions of Ivanti Endpoint Manager Mobile (EPMM) 11.10, 11.9, and 11.8, as well as MobileIron Core 11.7 and below, are affected by this vulnerability. Cybersecurity firm Rapid7 has reported that it can be chained with CVE-2023-35081 to permit an attacker to write malicious web shell files to the appliance.
Federal agencies are recommended to apply vendor-provided fixes by February 8, 2024. Additionally, two other zero-day flaws in Ivanti Connect Secure (ICS) VPN devices (CVE-2023-46805 and CVE-2024-21887) have also come under mass exploitation, with updates expected to be released next week.
Ivanti has advised organizations to rotate secrets important to the operation of the VPN after a rebuild, as threat actors have been able to compromise over 1,700 devices worldwide. The exploitation has been linked to multiple threat actors, including a suspected Chinese threat actor named UTA0178.
Further reverse engineering has uncovered an additional endpoint that could be abused on older versions of ICS to obtain a reverse shell. The security researchers described this as an example of a secure VPN device exposing itself to wide-scale exploitation due to relatively simple security mistakes.