Exploitation No Longer Requires Admin Authentication When Chained With Earlier Flaw
Threat actors who recently attacked a dozen Norwegian ministries by exploiting a zero-day vulnerability in Ivanti’s endpoint management software appeared to have another zero-day flaw that tied to the overall attack exploit chain, Ivanti confirmed on Friday.
Endpoint management and security solutions provider Ivanti detailed a second zero-day on Friday, used in conjunction with the earlier disclosed CVE-2023-35078, in attacks that targeted a dozen Norwegian ministries.
“This vulnerability allows an attacker with EPMM administrator privileges to write arbitrary files with the operating system privileges of the EPMM web application server. The attacker could then execute the uploaded file, for example, a web shell,” the U.S. Cybersecurity and Infrastructure Security Agency said in a Friday alert. “To gain EPMM administrator privileges, the attacker could exploit CVE-2023-35078 on an unpatched system.”
“CVE-2023-35078 reduces the complexity of executing CVE-2023-35081 and the chaining of these two vulnerabilities is what poses the greatest risk,” Ivanti said in its knowledge base post.
British cybersecurity expert Kevin Beaumont confirmed the new MobileIron vulnerability as being legitimate. “You can chain it with the earlier zero-day if unpatched to write a webshell to the MobileIron Core box itself,” he said, warning that it could soon be used by ransomware actors.
According to Ivanti, the exploit chain vulnerabilities were used against “the same limited number of customers” affected by CVE-2023-35078, which includes 12 Norwegian ministries.
A spokesperson for the Norwegian government’s Security and Service Organization told Information Security Media Group that its information and communication technology platform that services a dozen ministries was affected due to the Ivanti zero-day vulnerabilities.
“DSS’s ICT platform is used by all the ministries, except the Office of the Prime Minister, the Ministry of Defense, the Ministry of Justice and Public Security, and the Ministry of Foreign Affairs,” the spokesperson said.
Ivanti found the latest path traversal zero-day while investigating CVE-2023-35078 exploits that were disclosed earlier on Monday (see: Ivanti Zero-Day Used in Norway Government Breach).
The previous zero-day, CVE-2023-35078, had a CVSS score of 10 and was exploited to steal personal identifiable information, including names, phone numbers and other mobile device details. The same flaw also allowed attackers to make configuration changes and create administrative accounts to further exploit the appliance and networkin which it is placed.
The mobile security vendor denied rumors of a supply chain attack. “Based on our analysis, Ivanti has not found any indication that this vulnerability was introduced into our code development process maliciously,” Ivanti said.
Beaumont pointed out that the MobileIron API endpoint is now public knowledge. “Yes, you just added to add ‘aad’ to access the admin API without auth and it’s been like that for years,” he said.
As was the case with the earlier zero-day, CVE-2023-35081 also affects all supported versions – Version 11.4 releases 11.10, 11.9 and 11.8 – and all older versions or releases, including those that are declared end-of-life by Ivanti. Both security agencies and Ivanti urged users to take immediate action against this critical exploit chain of vulnerabilities.