A recent cyberattack on the Norwegian Ministries Security and Service Organization has exposed a zero-day authentication bypass vulnerability in Ivanti software. The attack affected the communication networks of 12 government ministries, resulting in a disruption of mobile services and email access for employees in those departments.
Fortunately, the Prime Minister’s office, the Ministry of Defense, the Ministry of Justice and Emergency Preparedness, and the Ministry of Foreign Affairs were not impacted by the attack. The Norwegian government released a statement highlighting the seriousness of the incident and confirming that steps are being taken to address the issue.
The vulnerability in question, known as CVE-2023-35078, is a remote unauthenticated API access vulnerability discovered in the Ivanti Endpoint Manager. This flaw allows a remote attacker to obtain information, create an administrative account, and modify the device’s configuration. It affects several software versions, including Version 11.4 and older, as well as versions and releases from 11.10.
The US Cybersecurity and Infrastructure Security Agency (CISA) also issued a statement regarding the vulnerability, emphasizing the risks associated with unauthenticated access to specific API paths. Attackers were able to access personally identifiable information (PII) such as names, phone numbers, and other mobile device details of users on vulnerable systems.
Security experts have further analyzed the vulnerability and its potential impact. Satnam Narang, a senior research engineer at Tenable, explained that an attacker could utilize the unrestricted API paths to modify a server’s configuration file. This could lead to the creation of an administrative account for the endpoint manager’s management interface, known as EPMM. With this access, further changes could be made to the vulnerable system.
Upon learning of the vulnerability, Ivanti took immediate action to address the issue. The company released a patch for supported versions of the product and provided an RPM script for customers on earlier versions to assist in remediation. Ivanti has also been working closely with affected customers and partners to investigate the situation and minimize the impact.
Norwegian national cybersecurity authorities have been actively collaborating with Ivanti and other partners to mitigate the risk associated with this vulnerability. Measures have been taken to reduce the impact and prevent the vulnerability from being exploited further, both within Norway and globally. All known users of MobileIron Core in Norway have been alerted to the availability of security updates, and it is strongly recommended that these updates be installed immediately.
Sofie Nystrøm, the director general of the Norwegian National Security Authority, acknowledged the unique nature of this vulnerability and the importance of handling it cautiously. She explained that if information about the vulnerability had been published too early, it could have been abused elsewhere in Norway and around the world. However, now that the update is widely available, it is important to openly discuss the vulnerability and raise awareness.
In conclusion, the cyberattack on the Norwegian Ministries Security and Service Organization has shed light on a zero-day authentication bypass vulnerability in Ivanti software. The government is working closely with cybersecurity authorities and the affected software company to address the issue and minimize the risk. Users of MobileIron Core in Norway are urged to install security updates promptly to protect their systems from potential exploitation.