CVE-2023-35078 (ZERO DAY)

Technical Details of CVE 2023-35078

As this bug is introduced by vulnerable endpoint so as an attacker we have to find out the endpoint which is vulnerable and not ask for creds after that we have to change the Uri path of the legitimate request to vulnerable one. Example: Normal request: https://example.server/api/v2/ Attacker request: https://example.server/vulnerable path/api/v2/admin/user - To list all users Attacker request: https://example.server/vulnerable path/api/v2/devices- To list all devices Attacker request: https://example.server/vulnerable path/api/v2/ldap_entites - To search active directory inside the organization You can find out that your MDM solution vulnerability is exploited or not by analysing your logs if you found the abnormal requests like above then please update to the non vulnerable version. Note: Vulnerable endpoint you can find by using publicly available document - https://help.ivanti.com/mi/help/en_us/CORE/10.8.0.0/api2/Content/APIv2/APIv2Title.htm

How you can Find your system to patch?

You can search on shodan your assets path =/mifs SSL:.example.com

Affected Versions

A vulnerability has been discovered in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This vulnerability impacts all supported versions – Version 11.4 releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk. If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server. We have received information from a credible source indicating exploitation has occurred. We continue to work with our customers and partners to investigate this situation.