On 24th July 2023Mobile Device Management solution from Ivanti has got the Zero day vulnerability which exploited by hackers to get the data of government organization.
First Attack was confirmed by Norwegian government they told that there MDM solution (product of Ivanti) has an zero day vulnerability and which affects there 12 ministries in the country.
The flow starts when the MDM solution had integrated the Azure AD code to make the product joined with Azure AD domain but this introduce the flow as this will give the unauthenticated access to the MDM solution API as an admin user.
Technical Details of CVE 2023-35078
As this bug is introduced by vulnerable endpoint so as an attacker we have to find out the endpoint which is vulnerable and not ask for creds after that we have to change the Uri path of the legitimate request to vulnerable one.
Normal request: https://example.server/api/v2/
Attacker request: https://example.server/vulnerable path/api/v2/admin/user - To list all users
Attacker request: https://example.server/vulnerable path/api/v2/devices- To list all devices
Attacker request: https://example.server/vulnerable path/api/v2/ldap_entites - To search active directory inside the organization
You can find out that your MDM solution vulnerability is exploited or not by analysing your logs if you found the abnormal requests like above then please update to the non vulnerable version.
Note: Vulnerable endpoint you can find by using publicly available document - https://help.ivanti.com/mi/help/en_us/CORE/10.8.0.0/api2/Content/APIv2/APIv2Title.htm
How you can Find your system to patch?
You can search on shodan your assets path =/mifs SSL:.example.com
A vulnerability has been discovered in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This vulnerability impacts all supported versions – Version 11.4 releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk.
If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server.
We have received information from a credible source indicating exploitation has
occurred. We continue to work with our customers and partners to investigate this situation.