Ivanti patches second zero-day vulnerability being used in attacks

Ivanti has issued a patch to address a second critical zero-day vulnerability that is under active attack. The vulnerability is said to be used in combination with the first vulnerability we discussed some days ago.

The Cybersecurity and Infrastructure Security Agency (CISA) has added the new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation since at least April of 2023. This means all Federal Civilian Executive Branch (FCEB) agencies must remediate this vulnerability by August 21, 2023 to protect their networks against active threats.

Thousands of large organizations, including governments and those providing critical infrastructure, use Ivanti Endpoint Manager Mobile (EPMM). CISA and the Norwegian National Cyber Security Centre (NCSC-NO) have released a joint Cybersecurity Advisory (CSA) about the threat actors that are exploiting the Ivanti EPMM vulnerabilities.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE patched in the latest updates is CVE-2023-35081. A remote arbitrary file write vulnerability in Ivanti EPMM (formerly known as MobileIron Core) with a CVSS score of 7.2 out of 10.

Further on, Ivanti explains that CVE-2023-35081 enables an authenticated administrator to perform arbitrary file writes to the EPMM server. Chained with with CVE-2023-35078 to bypass administrator authentication and access-control lists (ACLs) restrictions, it allows an attacker to create, modify, or delete files on a victim’s system remotely.

Successful exploitation can be used to write malicious files to the appliance, ultimately allowing a malicious actor to execute operating system (OS) commands on the appliance as the Tomcat user.

Apache Tomcat is a popular open source web server and servlet container for Java code. By adding files to a running Apache Tomcat instance an external actor is able to run malicious java bytecode on the affected servers.

EPMM users are advised to upgrade supported versions of EPMM with patch releases (11.8.1.2, 11.9.1.2, and 11.10.0.3) from system manager portal. Ivanti is urging users of unsupported versions to upgrade to the latest version of EPMM to ensure they have the latest security and stability fixes. More information about upgrading can be found in the 11.x release notes.

We don't just report on vulnerabilities–we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.