The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Thursday added a now-patched crucial flaw impacting Ivanti Endpoint Supervisor Cellular (EPMM) and MobileIron Core to its Identified Exploited Vulnerabilities (KEV) catalog, stating it is being actively exploited within the wild.
The vulnerability in query is CVE-2023-35082 (CVSS rating: 9.8), an authentication bypass that is a patch bypass for an additional flaw in the identical resolution tracked as CVE-2023-35078 (CVSS rating: 10.0).
“If exploited, this vulnerability permits an unauthorized, distant (internet-facing) actor to probably entry customers’ personally identifiable info and make restricted modifications to the server,” Ivanti famous in August 2023.
All variations of Ivanti Endpoint Supervisor Cellular (EPMM) 11.10, 11.9 and 11.8, and MobileIron Core 11.7 and under are impacted by the vulnerability.
Cybersecurity agency Rapid7, which found and reported the flaw, mentioned it may be chained with CVE-2023-35081 to allow an attacker to write down malicious net shell recordsdata to the equipment.
There are at present no particulars on how the vulnerability is being weaponized in real-world assaults. Federal businesses are really useful to use vendor-provided fixes by February 8, 2024.
The disclosure comes as two different zero-day flaws in Ivanti Join Safe (ICS) digital personal community (VPN) gadgets (CVE-2023-46805 and CVE-2024-21887) have additionally come underneath mass exploitation to drop net shells and passive backdoors, with the corporate anticipated to launch updates subsequent week.
“We now have noticed the menace actor goal the configuration and working cache of the system, which incorporates secrets and techniques vital to the operation of the VPN,” Ivanti mentioned in an advisory.
“Whereas we’ve not noticed this in each occasion, out of an abundance of warning, Ivanti is recommending you rotate these secrets and techniques after rebuild.”
Volexity, earlier this week, revealed that it has been capable of finding proof of compromise of over 1,700 gadgets worldwide. Whereas preliminary exploitation was linked to a suspected Chinese language menace actor named UTA0178, further menace actors have since joined the exploitation bandwagon.
Additional reverse engineering of the dual flaws by Assetnote has uncovered an extra endpoint (“/api/v1/totp/user-backup-code”) by which the authentication bypass flaw (CVE-2023-46805) may very well be abused on older variations of ICS and acquire a reverse shell.
Safety researchers Shubham Shah and Dylan Pindur described it as “one other instance of a safe VPN machine exposing itself to broad scale exploitation as the results of comparatively easy safety errors.”
