Ivanti patches new zero-day exploited in Norwegian govt attacks

Ivanti has fixed another vulnerability in the Endpoint Manager Mobile software (formerly MobileIron Core), exploited as a zero-day to breach the IT systems of a dozen ministries in Norway.

Ivanti released security patches for the path traversal flaw tracked as CVE-2023-35081 today and warned customers that it's "critical" to upgrade as soon as possible to secure vulnerable appliances against attacks.

"CVE-2023-35081 enables an authenticated administrator to perform arbitrary file writes to the EPMM server. This vulnerability can be used in conjunction with CVE-2023-35078, bypassing administrator authentication and ACLs restrictions (if applicable)," Ivanti said.

"Successful exploitation can be used to write malicious files to the appliance, ultimately allowing a malicious actor to execute OS commands on the appliance as the tomcat user.

"As of now we are only aware of the same limited number of customers impacted by CVE-2023-35078 as being impacted by CVE-2023-35081."

CVE-2023-35078 was also exploited in the same attacks targeting Norwegian government entities as a zero-day, to steal personally identifiable information (PII), including names, phone numbers, and other mobile device details.

The same flaw also allows threat actors to create EPMM administrative accounts, which enable them to make further changes to unpatched appliances.

As reported by Shodan, over 2,600 MobileIron user portals are presently accessible on the internet, with about three dozen of them linked to U.S. local and state government agencies.

In light of this, admins and security teams should immediately upgrade their Ivanti EPMM (MobileIron) installations to the latest version to protect them from potential attacks.

The Norwegian National Security Authority (NSM) confirmed on Tuesday that the CVE-2023-35078 EPMM vulnerability was abused to breach a software platform used by the country's government agencies.

However, the Norwegian Security and Service Organization (DSS) said the cyberattack did not affect Norway's Prime Minister's Office, the Ministry of Defense, the Ministry of Justice, and the Ministry of Foreign Affairs.

The Norwegian Data Protection Authority (DPA) has also been alerted regarding the incident, raising concerns that the hackers may have managed to access and/or exfiltrate sensitive data from the compromised government systems.

"This vulnerability was unique, and was discovered for the very first time here in Norway," the NSM said.

CISA also ordered U.S. Federal Civilian Executive Branch Agencies (FCEB) to patch their systems against CVE-2023-35078 by August 15th and will likely soon issue a similar order to address CVE-2023-35081.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned.