Ivanti, a software company, has revealed a zero-day vulnerability that was exploited in an attack on a government agency in Norway. The flaw, known as CVE-2023-35078, is an authentication bypass vulnerability that impacts Ivanti Endpoint Manager Mobile (EPMM), previously known as MobileIron Core. Ivanti stated in their advisory that this bug allows unauthorized remote actors to potentially access users’ personally identifiable information and make limited changes to the server.
The severity of this vulnerability was rated by HackerOne with a base CVSS score of 10, indicating the highest level of severity. All versions of EPMM, including Version 11.4 releases 11.10, 11.9, and 11.8, are affected. Additionally, older and unsupported versions of the software are also at risk. Ivanti has addressed the issue by releasing a patch that is currently available. Customers using earlier versions can apply an RPM script to mitigate the vulnerability. In response to the incident, the Cybersecurity and Infrastructure Security Agency (CISA) has advised Ivanti customers to review the security advisory and apply the necessary patches.
Ivanti stated in a dedicated blog post that they are aware of only a limited number of customers impacted by this zero-day vulnerability. However, it has come to light that the Norwegian government’s Departments’ Security and Service Organization (DSS) has fallen victim to the exploit. The Norwegian cyber agency National Security Authority acknowledged the incident on LinkedIn, assuring that relevant parties are working together to resolve the issue.
Reports about CVE-2023-35078 first emerged when security researchers mentioned a new zero-day exploit on Ivanti’s customer support forum. However, because this forum is restricted to customers only, the initial advisory was effectively paywalled until Ivanti officially disclosed the bug on Monday. The knowledge base article that provides detailed remediations for the vulnerability still requires a customer login, further limiting access to important information.
TechTarget Editorial reached out to Ivanti for additional insights about the attack on the DSS, the restricted advisory, and access to the knowledge base article. However, a spokesperson from Ivanti declined to provide the article or directly answer the questions. Instead, they released a statement emphasizing their commitment to protecting customer security and addressing vulnerabilities promptly. Ivanti also mentioned that they provided additional time for customers to apply the patch before public disclosure to minimize the potential for exploitation. They confirmed their cooperation with NCSC-NO (the Norwegian National Cyber Security Center) and other government agencies involved in coordinated disclosure, including their collaboration with CISA.
This zero-day vulnerability in Ivanti Endpoint Manager Mobile has raised concerns about the potential exposure of users’ personally identifiable information and the unauthorized access to servers. The incident involving the Norwegian government agency highlights the importance of proactive security measures and the need for prompt patching of software vulnerabilities. Companies and government agencies are urged to review their systems, apply the necessary updates, and follow best practices for secure software management to prevent similar attacks in the future.