Kevin BeaumontJul 24, 2023
Which vendor is going to declare a happy little vulnerability this week rather than a zero day?
Show threadKevin BeaumontJul 24, 2023

We have a winner already - CVE-2023-35078, zero day in #MobileIron aka Ivanti Endpoint Manager Mobile

Exploitation in the wild. #threatintel
https://forums.ivanti.com/s/article/KB-Remote-unauthenticated-API-access-vulnerability-CVE-2023-35078

Show threadKevin BeaumontJul 24, 2023

⚠️ Regarding the #MobileIron vulnerability ⚠️

Patches are out for 11.8.1.1, 11.9.1.1 and 11.10.0.2. It also applies to unsupported and EOL versions.

It's a serious zero day vulnerability which is very easy to exploit, where Ivanti are trying to hide it for some reason - this will get mass internet swept. I'd strongly recommend upgrading, and if you can’t get off EOL, switch off the appliance.

Show threadKevin BeaumontJul 24, 2023

Heise have picked up on the #MobileIron zero day. It's under active exploitation, Ivanti have put security information behind a paywall portal and hidden exploitation information behind a non-disclosure agreement.

Ivanti are also a security vendor.

cc @wdormann https://www.heise.de/news/Ivanti-schliesst-Zero-Day-Luecke-in-MobileIron-9225583.html

Ivanti schließt Zero-Day-Lücke in MobileIron

Ein Update soll Angriffe auf das Mobile Device Management mit MobileIron verhindern.

heise online
Show threadKevin BeaumontJul 24, 2023
What is this nonsense. They have a public security blog.. that they’re not using as soon as they have a security issue in their own back garden.
Show threadKevin BeaumontJul 24, 2023
Ivanti argue they are “practicing responsible disclosure protocols” by trying to hide a zero day in their own product, MobileIron, and lock technical details behind non-disclosure agreements to avoid people understanding the severity of their fail. https://therecord.media/ivanti-urges-customers-to-apply-patch
Ivanti urges customers to apply patch for exploited MobileIron vulnerability

The IT giant Ivanti is urging customers to apply a patch for a vulnerability in a product used by dozens of governments around the world.

Show threadKevin BeaumontJul 24, 2023

The #MobileIron advisory is now public. Cyberbullying vendors into doing the right thing is my community service.

CVSS 10. “Remote unauthenticated API access”. #threatintel

This one is completely nuts btw, I set up a honeypot and it’s already being probed via the API - which allows admin access and is completely unauthenticated, apparently nobody ever pentested one of the most widely used MDM solutions.

https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US

Ivanti Community

Show threadKevin BeaumontJul 25, 2023
12 government agencies in Norway have been hit with the #MobileIron zero day. https://www.bleepingcomputer.com/news/security/norway-says-ivanti-zero-day-was-used-to-hack-govt-it-systems/
Norway says Ivanti zero-day was used to hack govt IT systems

The Norwegian National Security Authority (NSM) has confirmed that attackers used a zero-day vulnerability in Ivanti's Endpoint Manager Mobile (EPMM) solution to breach a software platform used by 12 ministries in the country.

BleepingComputer
Show threadKevin BeaumontJul 25, 2023

The #MobileIron zero day saga continues.

The vendor note to customers says the flaw allows the attacker to "make limited changes to the server".

CISA have released a statement saying "An attacker can also make other configuration changes, including creating an EPMM administrative account that can make further changes to a vulnerable system"

#threatintel

https://www.cisa.gov/news-events/alerts/2023/07/24/ivanti-releases-security-updates-endpoint-manager-mobile-epmm-cve-2023-35078

Show threadKevin BeaumontJul 25, 2023

Here's a track of MobileIron/EPMM deployment worldwide.

It's hotter than The Hoff in Germany.

A vast majority of orgs haven't patched. Orgs include 10 Downing Street, large swathes of the US government etc.

Show threadKevin BeaumontJul 25, 2023
Pretty funny - Ivanti have published a blog disclosing the #MobileIron vulnerability - and backdated it so it appears like it was there yesterday. https://www.ivanti.com/blog/cve-2023-35078-new-ivanti-epmm-vulnerability
CVE-2023-35078 - New Ivanti EPMM Vulnerability

At Ivanti, our top priority is upholding our commitment to deliver and maintain secure products. We are investing significant resources to ensure that all our solutions continue to meet our own high standards. 

Show threadKevin Beaumont
I did write up of this, complete with a logo - behold #MobileIrony, a term coined by @Newk #threatintel
https://doublepulsar.com/mobileirony-backdoor-allows-complete-takeover-of-mobile-security-product-and-endpoints-559733d612e1?sk=4915c0011cfce52e58d3ab81d9bb2373
Jul 25, 2023 at 9:31pmWeb
Show threadKevin BeaumontJul 26, 2023
The MobileIron vuln is definitely do the rounds in security circles as my honeypot is getting probed, admin lists dumped and disclosures from researchers. #MobileIrony #threatintel
Show threadKevin BeaumontJul 29, 2023

The #MobileIrony API endpoint is now public knowledge - it’s /mifs/aad/

Yes, you just added to add ‘aad’ to access the admin API without auth and it’s been like that for years.

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-35078.yaml

nuclei-templates/http/cves/2023/CVE-2023-35078.yaml at main · projectdiscovery/nuclei-templates

Community curated list of templates for the nuclei engine to find security vulnerabilities. - projectdiscovery/nuclei-templates

GitHub
Show threadKevin BeaumontAug 3, 2023

CISA advisory says the zero day exploitation of #MobileIron was happening from "at least" April 2023 (which backs up from I wrote in my blog - i.e. I can see exploitation in logs going back to early this year).

Threat actors were uploading webshells and such. #threatintel #mobileirony

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-213a

Show threadKevin BeaumontAug 7, 2023
Patch numbers globally for #MobileIrony vuln are actually pretty good for a change.
Show threadHcInfosecAug 3, 2023
@GossiTheDog It's not uncommon to know how an api is set up. It is uncommon to not have it properly shielded no?
Show threadheggaAug 3, 2023
@GossiTheDog There’s even a new vulnerability found by Rapid7 https://www.rapid7.com/blog/post/2023/08/02/cve-2023-35082-mobileiron-core-unauthenticated-api-access-vulnerability/
CVE-2023-35082 MobileIron Core Unauthenticated API Access | Rapid7 Blog

Rapid7 discovered a new vulnerability that allows unauthenticated attackers to access the API in unsupported versions of MobileIron Core (11.2 and below).

Rapid7
Show threadzaicurityAug 3, 2023
@GossiTheDog do you see any indication in your logs that the filewrite/RCE was already being exploited back in April? Or was it just the unauthenticated API issue?
Show threadSeth MosJul 29, 2023
@GossiTheDog thank you for the early warning, it helps.
Show threada1Jul 29, 2023
@GossiTheDog oh no
Show threadTommy KavanaghJul 29, 2023
@GossiTheDog in fairness, darn handy when you forget your admin credentials though (#irony #notSerious)
Show threadThomas StrömbergJul 29, 2023

@GossiTheDog nice! I feel like it was good timing for us to move from #Nessus to #Nuclei for our automated network-wide scans last week.

It’s been great to see just how agile the community behind Nuclei is. Nessus never felt like that, probably due to the poorer onboarding experience for users and developers alike.

Show threadOtho Gray HeartJul 30, 2023
@GossiTheDog Nice Kievin but i don't see any adding user in ivanti document, how they exploit this vulnerability ?
Show threadTor HoughtonJul 27, 2023
@GossiTheDog btw, s/the device is be Azure/the device to be Azure/
Show threadTor HoughtonJul 27, 2023
@GossiTheDog I’ve seen requests for one particular (the same one during the whole period) path since October 2020; roughly a thousand requests, and 99% from .ru addresses. Odd thing, no probes to my server between July 2022-July 2023. Perhaps the group by then were too busy using their accesses elsewhere so no need to scan?
Show threadFritz AdalisJul 25, 2023

@GossiTheDog
NOICE

@Newk

Show threadCaliJul 25, 2023
@Newk @GossiTheDog great write up.. not sure how pedantic you are about these things, but minor typo in the first line
Show threadCaliJul 25, 2023
@GossiTheDog “is be” instead of “to be” - second paragraph, my bad
Show threadMajor Dumpster Fire  Jul 25, 2023
@GossiTheDog

Excellent write-up, quite an own-goal for a security firm to pull something like this, and certainly not a company that'd I'd recommend to a client.
Show threadAlan Miller  🇺🇦Jul 25, 2023

@GossiTheDog @Newk "As far as I can see, Ivanti have no telemetry on every API endpoint request — so simply may well not know how many customers were impacted."

Oh look, it's "we've seen no evidence of exploitation [because we haven't and can't look for any]"

Show threadDavid PeningtonJul 26, 2023
@GossiTheDog
Impressive.
"Many years ago, MobileIron aka Ivanti Endpoint Manager Mobile (EPMM) gained support for AzureAD integration in a product update, allowing the device is be Azure AD domain joined. It appears this code introduced the vulnerability, as it allowed unrestricted remote access to the entire MobileIron API as an admin user — without suppling any credentials."
Show threadzaicurityJul 26, 2023
@GossiTheDog this is the kind of vuln that makes me believe there are more things wrong with the product. I bet we’ll be seeing more vulns in the near future now that eyes are on it.
Show threaddb0Jul 26, 2023
@GossiTheDog @Newk holy shit this isn't a simple vulnerability, it's a gaping security hole wide enough for the death star to pass through! How the hell aren't their clients outside their premises with pitchforks?