The Second Exploit in Ivanti EPMM in a Week

New Ivanti EPMM 0-day Vulnerability
Ivanti had a second bug on their product despite fixing a zero-day vulnerability.

Ivanti has once again encountered an error that affects and corrects its Endpoint Manager software. This is despite the fact that Ivanti had eliminated a zero-day vulnerability that targeted the same product a few days before.

Analysts found new vulnerability in Ivanti EPMM

Currently, two vulnerabilities are being actively exploited by malicious cyber actors. It is making them a common attack vector that poses significant risks to the federal enterprise. EPMM users are strongly advised to apply the available patches as soon as possible to protect themselves. Last week, it was disclosed that one of the vulnerabilities, known as CVE-2023-35078 and with a maximum-possible CVSS v3 rating of 10, was used in an attack against twelve ministries in the Norwegian government.

Many IT departments worldwide, including several U.S. government agencies, use Ivanti’s EPMM software to manage mobile devices, apps, and content. However, a newly discovered bug (CVE-2023-35081) has been identified. This vulnerability is a path traversal flaw with a CVSS v3 rating of 7.2. It permits an attacker to write any files onto the appliance.

This vulnerability can be used in conjunction with CVE-2023-35078, bypassing administrator authentication and ACLs (access control list) restrictions (if applicable),“Ivanti”

The company expressed gratitude towards cybersecurity firm Mnemonic for helping them identify a new vulnerability. Mnemonic warned in a blog post that remote file writing vulnerabilities can seriously compromise system security. Also, it is leading to various types of attacks, such as data breaches and system takeovers. Researchers from Mnemonic reported that the new EPMM vulnerability was exploited with CVE-2023-35078 to write Java server pages and Java .class files to disk.

These files were loaded into a running Apache Tomcat instance and enabled an external actor to run malicious java bytecode on the affected servers, “Ivanti”

Report from CISA

On Friday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert urging security teams to patch vulnerabilities recently reported by Ivanti. CISA specified that both CVE-2023-35081 and CVE-2023-35078 were being actively exploited. The patches newly released for CVE-2023-35081 also include patches for CVE-2023-35078.

CISA explained that if CVE-2023-35078 remains unpatched, attackers can gain EPMM administrator privileges, enabling them to write arbitrary files with the operating system privileges of the web application server. The agency warned that the attacker could execute the uploaded file, such as a web shell.

Last week, CISA added CVE-2023-35078 to its Known Exploited Vulnerabilities catalog and ordered all Federal Civilian Executive Branch government agencies to fix the issue by August 15. However, the agency has yet to take similar steps in regard to CVE-2023-35081.

How to avoid significant cyberattack?

Organizations that could potentially fall victim to cyberattacks should prioritize their defense. If a significant cyber attack does occur, it is recommended that the organization reset its cyber security approach and posture. After such an incident, every organization should reflect on its actions and decisions. This should serve as a lesson for not only government services but also companies.

  • It’s crucial to implement strict access controls like strong passwords, multi-factor authentication (MFA), and role-based access control to prevent unauthorized access to sensitive data and systems.
  • Keep your operating systems, software, and applications updated with the most delinquent security patches and updates to fix known vulnerabilities. Make sure to update these systems for optimal security regularly.
  • One crucial responsibility for organizations is to adopt the Zero Trust principles, which can significantly enhance security measures by following the ‘trust-none, verify all’. Every user, device, and connection must be authenticated before access to your business network and its essential assets and sensitive data.
  • It’s essential to stay up-to-date on the latest vulnerabilities and learn safe online practices to protect yourself and your team. Always be careful when sharing sensitive information online or with people you don’t know.

The Second Exploit in Ivanti EPMM in a Week

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *