U.S. federal agencies have been ordered to patch a newly discovered maximum severity Ivanti software bug that was exploited in an attack against a dozen Norwegian government ministries.
The vulnerability is an authentication bypass flaw in Ivanti’s Endpoint Manager Mobile (EPMM) device management software, previously known as MobileIron Core.
Ivanti issued patches for the vulnerability on Monday and on Tuesday the Norwegian government revealed that the bug had been exploited in an earlier zero-day attack impacting 12 of its ministries.
Also on Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog. The KEV listing means all Federal Civilian Executive Branch government agencies are required to remediate the vulnerability by Aug. 15.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said in an alert.
Bug enables admin account creation
Ivanti’s EPMM solution is a widely used mobile management software engine that enables IT departments to set policies for mobile devices, applications, and content. Its name was changed from MobileIron Core after Ivanti acquired MobileIron in 2020.
Tracked as CVE-2023-35078, the authentication bypass bug has been assigned the maximum possible CVSS rating of 10, with Ivanti telling customers it was critical they patch their software immediately.
In a security advisory, Ivanti said the vulnerability enabled unauthorized access to the solution’s restricted functionality or resources, allowing threat actors to “potentially access users’ personally identifiable information and make limited changes to the server”. Ivanti said it was aware of “a very limited number of customers” who had been impacted by the bug.
CISA said the vulnerability allowed unauthenticated access to specific API paths. “An attacker with access to these API paths can access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system,” the agency said.
“An attacker can also make other configuration changes, including creating an EPMM administrative account that can make further changes to a vulnerable system.”
Security researcher Kevin Beaumont said on Mastodon he set up a honeypot to test the vulnerability “and it’s already being probed via the API … apparently nobody ever pentested one of the most widely used MDM (mobile device management) solutions”.
Dilemma over what to disclose
Norwegian authorities did not say whether data had been exfiltrated during the attack on their ministries, however, they said the country’s Data Protection Authority had been notified, indicating there may be concerns information had been stolen.
It was too early to say who was responsible for the attack, they said.
“This vulnerability was unique and was discovered for the very first time here in Norway,” said Sofie Nystrøm, Director General of Norway’s National Security Authority.
“If we had published information about the vulnerability too early, it could have contributed to its abuse elsewhere in Norway and in the rest of the world. The update is now widely available and it is prudent to announce what kind of vulnerability it is.”
Ivanti was criticized by some in the infosec community for limiting access to details about the vulnerability and not disclosing indicators of compromise (IOCs) to help security teams harden their systems against attacks.
But others who said they had been briefed on the specifics of the vulnerability were understanding of the way the software vendor had handled the situation because sharing IOCs would open the door to other threat actors exploiting the bug.
An anonymous security engineer said on social media: “The IOCs double as POCs (proofs of concept), it’s really bad. After seeing it I totally get why they are taking this approach, and am trying to figure out when they will make it public. It won’t go well when they do.”
