Ivanti Zero-Day Used in Norway Government Breach – Source: www.govinfosecurity.com

3rd Party Risk Management
,
Governance & Risk Management
,
Patch Management

Flaw in Ivanti Endpoint Manager Mobile Rated 10 on CVSS Scale

Mihir Bagwe (MihirBagwe) •
July 25, 2023    

A mobile security vendor patched a critically rated zero-day vulnerability in its endpoint management platform that had been used by unknown hackers to attack the Norwegian government.

Oslo senior officials disclosed the hack Monday and later disclosed that the zero-day had originated in the Ivanti Endpoint Manager Mobile (see: 12 Norwegian Ministries Impacted in ICT Platform Hack).

Tracked as CVE-2023-35078 and assigned a 10 on the CVSS scale, the vulnerability is a remote unauthenticated API access flaw, Ivanti’s security advisory states.

See Also: Live Webinar | Unmasking Pegasus: Understand the Threat & Strengthen Your Digital Defense

“An attacker with access to these API paths can access personally identifiable information such as names, phone numbers, and other mobile device details for users on a vulnerable system,” the U.S. Cybersecurity and Infrastructure Security Agency said in a Monday alert.

CISA added that an attacker can also use the bug to make configuration changes and create an administrative account.

The zero-day affects all supported and unsupported versions of the product. Ivanti said only a limited number of customers had been affected.

British cybersecurity expert Kevin Beaumont tracked the worldwide deployment of the internet-facing MobileIron instances and found that many U.S. government agencies and European organizations – including those at the 10 Downing Street in London – use the Ivanti platform.

A search on Shodan, an internet of things scanning platform, showed that more than 2,900 MobileIron user portals are presently exposed online, of which nearly two dozen are linked to the U.S. local and state government agencies.

“This one is completely nuts btw, I set up a honeypot and it’s already being probed via the API – which allows admin access and is completely unauthenticated, apparently nobody ever pentested one of the most widely used MDM solutions,” Beaumont said.

Security agencies around the globe, including the Australian Cyber Security Center, have urged users to review their networks for use of vulnerable instances of the platform and to patch immediately.