Introduction:
In a disturbing revelation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a dire warning on Thursday, flagging a now-patched critical flaw affecting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core. This unsettling development places unsuspecting users at the mercy of cybercriminals, as the vulnerability, CVE-2023-35082, with a staggering CVSS score of 9.8, is actively being exploited in the wild. Adding to the gravity of the situation, this authentication bypass flaw serves as a patch bypass for another ominous vulnerability, CVE-2023-35078, boasting a perfect CVSS score of 10.0.
The Exploited Vulnerability: The vulnerability, if successfully exploited, grants unauthorized, remote (internet-facing) actors the power to potentially access users' personally identifiable information and wield limited control over the server. Ivanti, in a somewhat lackluster admission back in August 2023, acknowledged the severity of the situation but failed to provide adequate preemptive measures.
Widespread Impact: All versions of Ivanti Endpoint Manager Mobile (EPMM) 11.10, 11.9, and 11.8, as well as MobileIron Core 11.7 and below, find themselves vulnerable to this digital onslaught. Cybersecurity firm Rapid7, the bearer of ominous news, disclosed that the flaw can be seamlessly chained with CVE-2023-35081, enabling attackers to insidiously write malicious web shell files to the appliance, thereby escalating the threat to an unprecedented level.
Secrecy Surrounding Exploitation: The lack of transparency surrounding the real-world exploits of this vulnerability adds an additional layer of trepidation. While the potential consequences loom large, federal agencies are merely advised to apply vendor-provided fixes by February 8, 2024, leaving a significant window of opportunity for threat actors to exploit the vulnerability.
A Disturbing Pattern: This disclosure follows closely on the heels of two zero-day flaws in Ivanti Connect Secure (ICS) VPN devices (CVE-2023-46805 and CVE-2024-21887) facing mass exploitation. The imminent threat of web shells and passive backdoors infiltrating systems further compounds the cybersecurity nightmare. Ivanti's lukewarm response to the situation, advising the rotation of secrets after a system rebuild, does little to instill confidence in its users.
Global Compromise and Exploitation Bandwagon: The extent of the compromise is staggering, with Volexity uncovering evidence of over 1,700 compromised devices worldwide. Initially linked to a suspected Chinese threat actor named UTA0178, the exploitation saga has since seen the involvement of additional threat actors, amplifying the global cybersecurity crisis.
Unveiling the Underbelly: Further unraveling the disconcerting reality, Assetnote's reverse engineering of the twin flaws exposes an additional vulnerable endpoint ("/api/v1/totp/user-backup-code") in older versions of ICS. This revelation underscores Ivanti's negligent security posture and opens the door to a potential reverse shell, making it abundantly clear that these vulnerabilities are the result of unforgivable security oversights.
Conclusion: The Ivanti EPMM vulnerability saga paints a grim picture of the state of cybersecurity, with negligence, lack of transparency, and a seemingly indifferent approach by the concerned parties. As the digital battlefield expands, it is imperative that organizations take proactive measures to fortify their defenses against such alarming exploits.
0 Comments