Alert - Threat Actors Exploiting Ivanti Endpoint Manager Mobile CVE-2023-35078 - Update 1

Audience

This Alert is intended for IT professionals and managers of notified organizations.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Details

On July 24, 2023, Ivanti published an article^{Footnote 1} highlighting a remotely exploitable vulnerability (CVE-2023-35078) in Ivanti Endpoint Manager Mobile (EPMM) (formerly MobileIron Core). Ivanti has stated that exploitation of this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server. CISA has since published an Alert which further states that this vulnerability may also result in other configuration changes, including the creation of an EPMM administrative account that can make further changes to a vulnerable system.^{Footnote 2} Ivanti additionally reported that this vulnerability has been exploited, and Norway’s National Security Authority and Departments’ Security and Service Organization have stated publicly^{Footnote 3} they have been affected by this zero-day vulnerability.

On July 25, 2023, the Cyber Centre published AV23-434^{Footnote 4} highlighting the vulnerability in Ivanti Endpoint Manager Mobile (EPMM). The advisory raised awareness that a vulnerability exists and that it had been exploited. The Cyber Centre has assessed that there are a number of potentially affected devices within Canada.

Update 1

On July 28, 2023, Ivanti published an article^{Footnote 6} highlighting an additional vulnerability recently exploited by malicious actors. Ivanti states that CVE-2023-35081 enables an authenticated administrator to perform arbitrary file writes to the EPMM server. This vulnerability can be used in conjunction with CVE-2023-35078 to bypass administrator authentication and ACLs restrictions (if applicable). Ivanti has further reported that patches are now available for CVE-2023-35081. Organizations are encouraged to review the article and install the recommended updates.

Recommendations

The Cyber Centre recommends that any organizations who use these devices, to ensure that they are patched as soon as possible.

Additional guidance is available in the Cyber Centre’s Top 10 IT security actions to protect Internet connected networks and information (ITSM.00.089)^{Footnote 5}. These publications are based on analysis of cyber threat trends to help minimize intrusions or the impacts of a successful cyber intrusion.

Should activity matching the content of this alert be discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.