Ivanti discloses new critical auth bypass bug in MobileIron Core

IT software company Ivanti disclosed today a new critical security vulnerability in its MobileIron Core mobile device management software.

Tracked as CVE-2023-35082, the flaw is a remote unauthenticated API access vulnerability affecting MobileIron Core version 11.2 and older.

Successful exploitation allows attackers to access personally identifiable information (PII) of mobile device users and backdoor compromised servers by deploying web shells when chaining the bug with other flaws.

Ivanti said it would not issue security patches to fix this flaw because it has already been addressed in newer versions of the product, rebranded to Endpoint Manager Mobile (EPMM).

"MobileIron Core 11.2 has been out of support since March 15, 2022. Therefore, Ivanti will not be issuing a patch or any other remediations to address this vulnerability in 11.2 or earlier versions. Upgrading to the latest version of Ivanti Endpoint Manager Mobile (EPMM) is the best way to protect your environment from threats," the company said.

"This vulnerability does not affect any version of Ivanti Endpoint Manager or MobileIron Core 11.3 and above, or Ivanti Neurons for MDM. Our Support team is always available to help customers to upgrade," Ivanti said in a separate security advisory.

According to Shodan, more than 2,200 MobileIron user portals are currently exposed online, including over a dozen connected to U.S. local and state government agencies.

Rapid7 security researcher Stephen Fewer, who discovered and reported the bug, provides indicators of compromise (IOCs) to help defenders detect signs of a CVE-2023-35082 attack and urges Ivanti customers to update MobileIron Core software to the latest version immediately.​

Similar Ivanti bugs exploited in attacks since April

Two other security flaws in Ivanti's Endpoint Manager Mobile (EPMM) (formerly MobileIron Core) have been exploited by state hackers since April, according to a CISA advisory published on Tuesday.

One of the flaws (CVE-2023-35078), a critical authentication bypass, was exploited as a zero-day to breach the networks of multiple Norwegian government entities.

This vulnerability can be chained with a directory traversal flaw (CVE-2023-35081), allowing threat actors with administrative privileges to deploy web shells on compromised systems.

"Advanced persistent threat (APT) actors exploited CVE-2023-35078 as a zero day from at least April 2023 through July 2023 to gather information from several Norwegian organizations, as well as to gain access to and compromise a Norwegian government agency's network," CISA said.

"Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability. Consequently, CISA and NCSC-NO are concerned about the potential for widespread exploitation in government and private sector networks."

CISA's joint advisory with Norway's National Cyber Security Centre (NCSC-NO) followed orders asking U.S. federal agencies to patch the two actively exploited flaws by August 15 and August 21.