Researchers have discovered a method for bypassing the patch for a recently fixed vulnerability in some versions of Ivanti MobileIron Core that can allow an attacker to access a vulnerable API and potentially execute arbitrary code in some limited cases.
The newly disclosed bug only affects versions 11.2 and older of MobileIron Core and researchers from Rapid7 discovered it while analyzing the patch for a previous Ivanti bug, CVE-2023-35078, which the company addressed last week. The older vulnerability is an issue with an API in the MobileIron Core product that could enable an attacker to steal sensitive information from a vulnerable target. That flaw was exploited as a zero day in the wild and Ivanti patched a second zero day a couple days later.
While researching that bug and its effects, the Rapid7 researchers found a secondary issue (CVE-2023-35082), which is closely related, but not identical.
“Since CVE-2023-35082 arises from the same place as CVE-2023-35078, specifically the permissive nature of certain entries in the mifs web application’s security filter chain, Rapid7 would consider this new vulnerability a patch bypass for CVE-2023-35078 as it pertains to version 11.2 and below of the product,” the Rapid7 advisory says.
“CVE-2023-35082 allows a remote unauthenticated attacker to access the API endpoints on an exposed management server. An attacker can use these API endpoints to perform a multitude of operations as outlined in the official API documents, including the ability to disclose personally identifiable information (PII) and perform modifications to the platform. Additionally, should a separate vulnerability be present in the API, an attacker can chain these vulnerabilities together. For example, CVE-2023-35081 could be chained with CVE-2023-35082 to allow an attacker write malicious webshell files to the appliance, which may then be executed by the attacker.”
For enterprises running older versions of MobileIron Core affected by this new bug, the best remediation option is to upgrade to a version of the product that’s currently supported.