Ivanti fixes second zero-day exploited by attackers (CVE-2023-35081)

Another actively exploited zero-day vulnerability (CVE-2023-35081) affecting Ivanti Endpoint Manager Mobile (EPMM) has been identified and fixed.

The first zero-day spotted

Last week, we reported on a remote unauthenticated API access vulnerability (CVE-2023-35078) affecting Ivanti EPMM having been exploited to target Norwegian ministries.

The company stated that the vulnerability has impacted a limited number of customers and has released a patch, but did not share any other details or indicators of compromise with the public.

But the infosec community quickly ferreted out the vulnerable API endpoint, the nature of the vulnerability, how it can be exploited, and how organizations can check whether the vulnerability has been exploited in their systems.

About CVE-2023-35081

CVE-2023-35081, discovered with the help of Mnemonic researchers, is a remote arbitrary file write vulnerability that could allow a threat actor to remotely create, modify, or delete files in the Ivanti EPMM server.

“This vulnerability can be used in conjunction with CVE-2023-35078, bypassing administrator authentication and ACLs restrictions (if applicable),” the company explained.

“Successful exploitation can be used to write malicious files to the appliance, ultimately allowing a malicious actor to execute OS commands on the appliance as the tomcat user.”

CVE-2023-35081 also impacts all supported EPMM versions (11.10, 11.9 and 11.8) and older releases. A patch has been made available and customers are urged to update as soon as possible, warning that “the chaining of these two vulnerabilities is what poses the greatest risk”.

The impact

CVE-2023-35078 and CVE-2023-35081 have been used together in the attacks.

CVE-2023-35078 – an authentication bypass flaw – reduces the complexity of executing CVE-2023-35081 – which enables attackers (now acting as an authenticated administrator) to perform arbitrary file writes to the EPMM server.

“As of now we are only aware of the same limited number of customers impacted by CVE-2023-35078 as being impacted by CVE-2023-35081,” Ivanti noted.

The company has still not shared indicators of compromise publicly because “the situation is still evolving”. They are telling customers to get in touch with Ivanti Support for guidance if they suspect that they may have been breached.

Ivanti has also stressed that, as far as they can currently tell, this vulnerability was not introduced into their code development process maliciously. Also, that Ivanti itself hasn’t been breached via these vulnerabilities.

UPDATE (August 1, 2023, 12:50 p.m. ET):

CISA has added CVE-2023-35081 to its Known Exploited Vulnerability Catalog and, jointly with the Norwegian National Cyber Security Centre (NCSC-NO), has released an advisory detailing known TTPs employed by the attackers, attack IoCs, and advice for incident responders.

“The APT actors have exploited CVE-2023-35078 since at least April 2023. The actors leveraged compromised small office/home office (SOHO) routers, including ASUS routers, to proxy to target infrastructure, and NCSC-NO observed the actors exploiting CVE-2023-35078 to obtain initial access to EPMM devices,” the agencies shared.

The attackers perform LDAP queries against the Active Directory to retrieve LDAP endpoints, listed users users and administrators on the EPMM device, made configuration changes on it, checked and deleted various logs, and likely installed webshells.