A new zero-day vulnerability affecting a product of US-based enterprise software provider Ivanti has been exploited in an attack aimed at the Norwegian government.
Norwegian authorities announced on Monday that a dozen government ministries had been targeted in a cyberattack involving a previously unknown vulnerability.
The country’s National Security Authority later clarified that the attack involved the exploitation of CVE-2023-35078, a zero-day vulnerability impacting Ivanti’s Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core.
EPMM is a widely used mobile management software engine that enables IT teams to set policies for mobile devices, applications, and content.
According to an advisory published on Monday by Ivanti for CVE-2023-35078, the flaw is an unauthenticated API access issue that can be exploited by remote threat actors “to potentially access users’ personally identifiable information and make limited changes to the server”.
“We have received information from a credible source indicating exploitation has occurred. We continue to work with our customers and partners to investigate this situation,” Ivanti said. “We are only aware of a very limited number of customers that have been impacted.”
The authentication bypass vulnerability has been rated ‘critical’ and it impacts all supported versions, including 11.10, 11.9 and 11.8, as well as older releases. The vendor has rushed to release a patch and organizations have been advised to install it as soon as possible due to how easy it is to exploit the flaw.
Security researcher Kevin Beaumont has set up a honeypot to monitor CVE-2023-35078 and he has already been seeing exploitation attempts.
There are many internet-exposed systems, particularly in the United States and Europe.
The vendor, whose offering includes cybersecurity products, has faced criticism for initially deciding not to make its advisory public — it was initially behind a paywall and exploitation information was hidden.
The US Cybersecurity and Infrastructure Security Agency (CISA) has also released an alert, clarifying that the zero-day can be exploited by an attacker with access to specific API paths to obtain information such as name, phone number and other mobile device details.
The configuration changes that can be made by an attacker include creating an admin account that can make other modifications to the targeted system.
CISA’s Known Exploited Vulnerabilities Catalog currently lists nine Ivanti product flaws — it does not include the latest zero-day. All of these security holes impact Pulse Connect Secure and MobileIron products, which Ivanti acquired in 2020.