For the second time in a week, Ivanti has released patches addressing an actively exploited vulnerability in its mobile device management tool.
The path traversal vulnerability (CVE-2023-35081) exists in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, which helps businesses manage and secure their employees’ devices. The flaw can enable an attacker with administrative privileges to perform arbitrary file writes to the EPMM server with the operating system privileges of the web application server; the attacker could then execute uploaded files, like a webshell.
“A vulnerability has been discovered in Ivanti Endpoint Manager Mobile, formerly known as MobileIron Core,” according to Ivanti in a security advisory on Friday. “This vulnerability impacts all supported versions –releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk. This vulnerability is different from CVE-2023-35078, released on July 23.”
Last week, the enterprise software company addressed a separate, actively exploited vulnerability (CVE-2023-35078) also in EPMM. That flaw stemmed from an unauthenticated API access problem and could enable attackers with access to certain API paths to steal personally identifiable information (like names, phone numbers and specific mobile device details) of users on a vulnerable system, and to make configuration changes like creating an administrative account. Attackers leveraged the vulnerability to target a software platform utilized by 12 Norwegian government agencies.
While CVE-2023-35078 has a critical CVSS score of 10, CVE-2023-35081 has a lower score of 7.2 due in part because an attacker must have administrator privileges to exploit the flaw. However, the flaws can be chained together in attacks, warned Ivanti.
“This vulnerability can be used in conjunction with CVE-2023-35078, bypassing administrator authentication and ACLs restrictions (if applicable),” according to Ivanti. “Successful exploitation can be used to write malicious files to the appliance, ultimately allowing a malicious actor to execute OS commands on the appliance as the tomcat user.”
Ivanti said that it is aware of “the same limited number of customers impacted by CVE-2023-35078 as being impacted by CVE-2023-35081.”
Patches are currently available for flaws tied to both CVE-2023-35078 and CVE-2023-35081 (and patches for CVE-2023-35081 also include patches for CVE-2023-35078). Both Ivanti and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged businesses to apply patches for both flaws, with CISA adding the flaw to its Known Exploited Vulnerabilities Catalog and giving federal agencies a deadline of Aug. 21 to patch.