External risk intelligence

Ivanti EPMM Authentication Bypass Vulnerability.

CVE advisoryKnown Exploit

CVE-2023-35078

An authentication bypass vulnerability in Ivanti EPMM allows unauthorized access to restricted functions and data. This poses a risk to organizations through potential exposure of sensitive information and compromise of managed devices. Attackers with network access can exploit this flaw without authentication, leading

5Halo Surface Signal

Authentication Bypass

Ivanti Endpoint Manager Mobile

before 11.8.1.111.9.0 to before 11.9.1.111.10 to before 11.10.0.2

External exposure likelihood

Halo Surface Signal score for CVE-2023-35078

Ivanti Endpoint Manager Mobile (EPMM) is a mobile device management solution designed to be network-accessible to manage mobile devices. It functions as an edge service that must be reachable to perform its primary role of enrolling and managing devices, making its API and administrative interfaces inherently public-facing or accessible to the internet in common deployments.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

An authentication bypass vulnerability exists within Ivanti EPMM. This flaw allows unauthorized access to restricted functions and resources without proper credentials. Organizations could face risks to sensitive data and the integrity of managed devices.

  • Vulnerable component: Ivanti EPMM
  • Core weakness: Authentication bypass
  • Main business impact: Data exposure, device compromise

Attack Path

How an attacker could exploit the issue

An attacker can bypass authentication to access Ivanti Endpoint Manager Mobile (EPMM) functionalities. This vulnerability allows unauthorized access to sensitive data and the ability to modify device configurations. The attack could impact user privacy and device security.

  • Unauthenticated network access required
  • Attacker accesses API paths
  • Control over configurations and data

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows unauthorized remote actors to bypass authentication. This means that attackers do not need any special access or credentials to exploit this vulnerability. The difficulty of exploitation is low, as it requires no privileges and no user interaction. The potential damage includes unauthorized access to sensitive user data, such as names and phone numbers, and the ability to make configuration changes to the affected systems. This could lead to further compromise and significant business risk.

  • Low skill level required
  • No privileges or access needed
  • High business risk and urgency

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An authentication bypass vulnerability in Ivanti Endpoint Manager Mobile (EPMM) could allow unauthorized access to sensitive information and system configurations. This could lead to the exposure of personally identifiable information (PII) and unauthorized modifications to device security settings. The risk to the organization includes potential data breaches, compromised device integrity, and disruption of mobile device management operations.

  • Find Ivanti EPMM systems.
  • Limit network access to EPMM.
  • Update EPMM, verify fixes.

Frequently asked questions

What is Ivanti Endpoint Manager Mobile (EPMM) and what is it used for?

Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, is a software solution used for managing and securing mobile devices within an organization. It allows IT administrators to enroll devices, enforce security policies, distribute applications, and protect sensitive corporate data on mobile endpoints.

How does the CVE-2023-35078 vulnerability work?

CVE-2023-35078 is an authentication bypass vulnerability. This means it allows an attacker to access restricted features or data within Ivanti EPMM without needing to log in or provide valid credentials. The weakness is categorized as CWE-287, which relates to improper authentication.

What are the conditions for an attacker to exploit CVE-2023-35078?

An attacker needs network access to the Ivanti EPMM system to exploit this vulnerability. No special privileges or user interaction are required, making it accessible to remote attackers.

Who should be concerned about the Ivanti EPMM vulnerability CVE-2023-35078?

Organizations using Ivanti EPMM should be concerned, especially if their systems are accessible from the internet. Halo classifies this vulnerability as 'Very likely' to be exposed externally because EPMM needs to be network-accessible to manage devices, making its interfaces potentially reachable online.

What should someone running Ivanti EPMM do first about this vulnerability?

The first steps are to identify all Ivanti EPMM systems within your environment and to restrict network access to these systems where possible. After implementing these initial measures, it is crucial to update your Ivanti EPMM to a version that includes the necessary fixes.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified