Ivanti discloses another vulnerability in MobileIron Core (CVE-2023-35082)

Ivanti has disclosed a critical vulnerability (CVE-2023-35082) affecting old, out-of-support versions of MobileIron Core, an enterprise device solution that has since been rebranded to Ivanti Endpoint Manager Mobile (EPMM).

“The vulnerability was incidentally resolved in MobileIron Core 11.3 as part of work on a product bug. It had not previously been identified as a vulnerability,” noted Ivanti.

About the vulnerability (CVE-2023-35082)

CVE-2023-35082 is a remote unauthenticated API access vulnerability that, if exploited, could allow an unauthorized threat actor to access users’ personally identifiable information (PII) and make modifications within the server.

“Since CVE-2023-35082 arises from the same place as CVE-2023-35078, specifically the permissive nature of certain entries in the mifs web application’s security filter chain, Rapid7 would consider this new vulnerability a patch bypass for CVE-2023-35078 as it pertains to version 11.2 and below of the product,” said Stephen Fewer, principal security researcher at Rapid7, who disclosed this vulnerability to Ivanti.

MobileIron Core v11.2 is no longer supported (since March 15, 2022) and Ivanti will not be releasing a patch for this or earlier vulnerable versions. “We are actively working with our customers to upgrade to the latest version of Ivanti Endpoint Manager Mobile (EPMM) or migrate to the cloud version of the product, Ivanti Neurons for MDM,” the IT software maker says.

Rapid7 has outlined how they exploited and confimed the existence of the flaw and has provided indicators of compromise for enterprise threat hunters.

Ivanti EPMM in the crosshairs

It was recently discovered that CVE-2023-35078 – a remote unauthenticated API access vulnerability – and CVE-2023-35081 – a remote arbitrary file write vulnerability had been exploited in conjunction to breach 12 Norwegian ministries.

As previously noted, CVE-2023-35082 – like CVE-2023-35078 – may allow a remote unauthenticated attacker to access the API endpoints on an exposed management server, and used them to perform various operations.

“Additionally, should a separate vulnerability be present in the API, an attacker can chain these vulnerabilities together. For example, CVE-2023-35081 could be chained with CVE-2023-35082 to allow an attacker write malicious webshell files to the appliance, which may then be executed by the attacker,” Fewer added.