The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core to its Known Exploited Vulnerabilities (KEV) catalog, stating it’s being actively exploited in the wild.
The vulnerability in question is CVE-2023-35082 (CVSS score: 9.8), an authentication bypass that’s a patch bypass for another flaw in the same solution tracked as CVE-2023-35078 (CVSS score: 10.0), which was actively exploited in attacks targeted Norwegian government entities as a zero-day in April 2023.
“If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server,” Ivanti noted in August 2023.
All versions of Ivanti Endpoint Manager Mobile (EPMM) 11.10, 11.9 and 11.8, and MobileIron Core 11.7 and below are impacted by the vulnerability.
Cybersecurity firm Rapid7, which discovered and reported the flaw, said it can be chained with CVE-2023-35081 to permit an attacker to write malicious web shell files to the appliance.
There are currently no details on how the vulnerability is being weaponized in real-world attacks. Federal agencies are recommended to apply vendor-provided fixes by February 8, 2024.
The disclosure comes as two other zero-day flaws in Ivanti Connect Secure (ICS) virtual private network (VPN) devices (CVE-2023-46805 and CVE-2024-21887) have also come under mass exploitation to drop web shells and passive backdoors, with the company expected to release updates next week.
“We have observed the threat actor target the configuration and running cache of the system, which contains secrets important to the operation of the VPN,” Ivanti said in an advisory.
“While we haven’t observed this in every instance, out of an abundance of caution, Ivanti is recommending you rotate these secrets after rebuild.”
Volexity, this week, revealed that it has been able to find evidence of compromise of over 2,100 devices worldwide. While initial exploitation was linked to a suspected Chinese threat actor named UTA0178, additional threat actors have since joined the exploitation bandwagon.
The intrusions have targeted government, military, telecoms, defense contractors, technology, banking, consulting, aerospace, aviation, and engineering organizations in the U.S., Germany, the U.K., France, Spain, China, India, Australia, Russia, and Brazil.
The cybersecurity firm further noted that UTA0178, the suspected Chinese threat actor behind the initial attack wave in December 2023, made modifications to the in-built Integrity Checker Tool in an attempt to evade detection.
“Analysis of this file uncovered evidence that it had been modified so the system’s built-in Integrity Checker Tool would always indicate no findings, even if new or mismatched files were actually detected,” security researchers Matthew Meltzer, Sean Koessel, and Steven Adair said.
It’s recommended that organizations apply the mitigation provided by Ivanti after importing any backup configurations in order to prevent potential re-compromise of a device.
Further reverse engineering of the twin flaws by Assetnote has uncovered an additional endpoint (“/api/v1/totp/user-backup-code”) by which the authentication bypass flaw (CVE-2023-46805) could be abused on older versions of ICS and obtain a reverse shell.
Security researchers Shubham Shah and Dylan Pindur described it as “another example of a secure VPN device exposing itself to wide scale exploitation as the result of relatively simple security mistakes.”
Update
When reached for comment, Ivanti shared the following statement with The Hacker News –
“The security of our customers is our top priority. Ivanti disclosed this vulnerability in August 2023 and provided a fix at that time. The issue is also resolved in the 11.11.0.0 version of the product released on August 21, 2023. We encourage our customers to upgrade to the latest version of the product for the best functionality and greatest protection for their environment.”
“Shortly after disclosure, the Proof-of-Concept (PoC) was made public by a third-party, and we disclosed in August that customers had been exploited following the public PoC. Ivanti provided the information to CISA in August to be added to the KEV.”
(The story was updated after publication to include additional findings published by Volexity and an official statement from Ivanti.)