Security vendor Ivanti has disclosed yet another critical vulnerability in its products, linked to a previous zero-day that was exploited by an APT group to compromise the Norwegian government.
CVE-2023-35082 has a CVSS score of 10 and is described as a remote unauthenticated API access vulnerability in MobileIron Core 11.2 and older. If exploited, it allows unauthorized users to access restricted resources without proper authentication.
“The vulnerability was incidentally resolved in MobileIron Core 11.3 as part of work on a product bug. It had not previously been identified as a vulnerability,” explained Ivanti.
“If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server.”
Read more on the Ivanti zero-day: Ivanti Patches Zero-Day Bug Used in Norway Attacks
Rapid7 discovered the vulnerability while investigating CVE-2023-35078, another critical API access vulnerability in the same product that was exploited in a lengthy cyber-espionage campaign against the Norwegian government.
“Since CVE-2023-35082 arises from the same place as CVE-2023-35078, specifically the permissive nature of certain entries in the mifs web application’s security filter chain, Rapid7 would consider this new vulnerability a patch bypass for CVE-2023-35078 as it pertains to version 11.2 and below of the product,” it explained.
Rapid7 also warned that another Ivanti vulnerability patched soon after the zero-day, CVE-2023-35081, could be chained with CVE-2023-35082 “to allow an attacker write malicious webshell files to the appliance, which may then be executed by the attacker.”
CISA this week warned that the same kind of chaining was possible between CVE-2023-35081 and CVE-2023-35078.
Ivanti said it is not issuing a patch to address the bug in MobileIron Core 11.2 and earlier as the product is now out of support. It urged users to upgrade to the latest version of Ivanti Endpoint Manager Mobile (EPMM).