Last updated at Tue, 27 Feb 2024 17:17:44 GMT
CVE-2023-35078 is a remote unauthenticated API access vulnerability in Ivanti Endpoint 经理 Mobile, which was previously br和ed as MobileIron Core. The vulnerability has a CVSS v3 base score of 10.0 其严重程度为 至关重要的.
Ivanti has reported that they have received in为mation from a credible source indicating active exploitation of CVE-2023-35078. A 供应商提供的补丁 to remediate CVE-2023-35078 was released on July 24, 2023.
Background
Ivanti Endpoint 经理 Mobile (EPMM) is used to configure 和 manage mobile devices 和 en为ce security policies on those devices. 根据 Ivanti咨询, 如果利用, CVE-2023-35078 enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable in为mation 和 make limited changes to the server.
On July 24, 2023, the Norwegian National Security Authority (NSM) 发表声明 that CVE-2023-35078 was used in a zero-day attack to successfully compromise the Norwegian Security 和 Service Organization (DSS). 此外,美国的网络安全 & Infrastructure Security Agency (中钢协) has also 发布公告 为 the vulnerability as well as adding the vulnerability to their 已知被利用的漏洞 (凯文)目录.
根据中钢协的建议, the vulnerability allows a remote unauthenticated attacker to access personally identifiable in为mation (PII) 和 add an administrator account on the affected EPMM server, to allow 为 further system compromise.
Shadowserver项目已经列出 2729个IP地址 on the internet that remain vulnerable to the issue (as of July 24, 2023).
Currently, no known public exploit code is available (as of July 26, 2023). If public exploit code becomes available, we expect more broad exploitation of vulnerable internet-facing systems. Organizations running the affected software are advised to 应用 the vendor patch as soon as possible.
受影响的产品
请注意: In为mation on affected versions or requirements 为 exploitability may change as we learn more about the threat.
CVE-2023-35078 affects all supported versions of Ivanti Endpoint 经理 Mobile (EPMM) prior to the vendor patch:
- 11.10
- 11.9
- 11.8
Product versions no longer receiving support are also affected, 和 Ivanti has released a workaround as part of their response.
Ivanti has released the following patches to remediate the issue:
- 11.10.0.2
- 11.9.1.1
- 11.8.1.1
妥协指标(IoC)
The following indicators of compromise are present in the Apache HTTP logs stored on the appliance.
日志文件 /var/log/httpd/http-access_log will have an entry showing a request to a targeted API endpoint, containing / mif /广告/ api / v2 / in the path 和 showing a HTTP response code of 200. Blocked exploitation attempts will show a HTTP response code of either 401 or 403. 例如:
192.168.86.34:58482 - - 2023-07-27--13-01-39 "GET / mif /广告/ api / v2 /ping HTTP/1.1" 200 "-" 68 "-"卷曲/8.0.1" 2509
Rapid7客户
Instructions to install the patch or workaround are available on 伊凡蒂的知识库文章 (which requires a free login to access).
An unauthenticated (remote) check will be available to InsightVM customers in tonight’s (July 26, 2023)内容发布.
更新
2023年7月28日: 中钢协 发出新警报 为 cve - 2023 - 35081, a remote arbitrary file write vulnerability in Ivanti EPMM. Both 中钢协 和 Ivanti have confirmed that the new CVE was exploited in the wild 和 chained together with CVE-2023-35078 to remotely execute malicious code on a compromised system.
