CVE-2023-35082

An authentication bypass vulnerability in Ivanti EPMM 11.10 and older, allows unauthorized users to access restricted functionality or resources of the application without proper authentication. This vulnerability is unique to CVE-2023-35078 announced earlier.

Recent assessments:

sfewer-r7 at August 03, 2023 9:02am UTC reported:

Update: August 8, 2023: Ivanti have indicated that CVE-2023-35082 affects all versions of Endpoint Manager Mobile (EPMM) prior to a patch released August 7, 2023. The attacker rating value for CVE-2023-35082 has been increased to reflect the new product versions affected by this vulnerability.

CVE-2023-35082 gives an attacker unauthenticated API access to a vulnerable Ivanti Endpoint Manager Mobile (EPMM) or MobileIron Core target.

An attacker can access the MobileIron Core API unauthenticated, by including /asfV3/ in the URL path, for example:

c:\> curl -k https://192.168.86.103/mifs/asfV3/api/v2/ping

This will successfully call the ping API endpoint, which is meant to require authentication from a user with admin role privileges, and the following result is returned:

{"results":{"apiVersion":2.0,"vspVersion":"VSP 11.2.0.0 Build 31 "}}

The /var/log/httpd/https-access_log log file on the appliance will show indicators of compromise for entries containing /mifs/asfV3/api/v2/in the path and a HTTP response code of 200. For example:

192.168.86.34:61736 - - 2023-07-28--15-24-51 "GET /mifs/asfV3/api/v2/ping HTTP/1.1" 200 68 "-" "curl/8.0.1" 3285

Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 5