{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2023-056.pdf"
    },
    "title": "Critical Vulnerability in Endpoint Manager Mobile (MobileIron Core)",
    "serial_number": "2023-056",
    "publish_date": "18-09-2023 11:44:58",
    "description": "On August 2, Ivanti disclosed a Remote Unauthenticated API Access Vulnerability affecting EPMM (MobileIron Core) running outdated versions (11.2 and below). On August 7, Ivanti added more recent and supported versions on the list of affected products.<br>\nThe vulnerability tracked as CVE-2023-35082 with as CVSS score of 10 out of 10, is actively exploited and allows an unauthorised, remote actor to potentially access users personally identifiable information and make limited changes to the server.. Ivanti has released security patches addressing this vulnerability. This vulnerability is different from CVE-2023-35078 and CVE-2023-35081.<br>\n",
    "url_title": "2023-056",
    "content_markdown": "---\ntitle: 'Critical Vulnerability in\u00a0Endpoint Manager\u00a0Mobile\u00a0(MobileIron\u00a0Core)'\nversion: '1.0'\nnumber: '2023-056'\noriginal_date: 'August 7, 2023'\ndate: 'August 8, 2023'\n---\n\n_History:_\n\n* _08/08/2023 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn August 2, Ivanti disclosed a Remote Unauthenticated API Access Vulnerability affecting EPMM (MobileIron Core) running outdated versions (11.2 and below) [1,2]. On August 7, Ivanti added more recent and supported versions on the list of affected products.\n\nThe vulnerability tracked as **CVE-2023-35082** with as CVSS score of 10 out of 10, is **actively exploited** and allows an unauthorised, remote actor to potentially access users personally identifiable information and make limited changes to the server. [1]. Ivanti has released security patches [1] addressing this vulnerability. This vulnerability is different from **CVE-2023-35078** [3] and **CVE-2023-35081** [4].\n\n# Technical Details\n\n**CVE-2023-35082** enables an unauthorised, remote actor to potentially access users personally identifiable information and make limited changes to the server by accessing non-restricted API endpoints, namely `/mifs/asfV3/api/v2/*`.\n\n# Affected Products\n\nIvanti reports the vulnerability impacts the following versions of Ivanti Endpoint Manager Mobile (EPMM):\n\n- Endpoint Manager Mobile 11.10\n- Endpoint Manager Mobile 11.9\n- Endpoint Manager Mobile 11.8\n- MobileIron Core 11.7 and below\n\nNote that **older versions/releases are also at risk** (MobileIron Core 11.2 has been out of support since March 15, 2022).\n\n# Recommendations\n\nCERT-EU strongly recommends reviewing Ivanti's security advisory [2] and upgrading affected systems to avoid potential exploitation of this vulnerability.\n\nCERT-EU also recommends reviewing the http access logs (`http-access_log`), available in the `/var/log/httpd/` folder in order to check for requests targeting the API endpoint containing `/mifs/asfV3/api/v2/` in the path. Requests with an HTTP response code of 200 would indicate successful attempts while blocked exploitation attempts will show an HTTP response code of either 401 or 403.\n\n# References\n\n[1] <https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older?language=en_US>\n\n[2] <https://www.rapid7.com/blog/post/2023/08/02/cve-2023-35082-mobileiron-core-unauthenticated-api-access-vulnerability/>\n\n[3] <https://www.cert.europa.eu/static/security-advisories/CERT-EU-SA2023-053.pdf>\n\n[4] <https://www.cert.europa.eu/static/security-advisories/CERT-EU-SA2023-055.pdf>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>08/08/2023 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On August 2, Ivanti disclosed a Remote Unauthenticated API Access Vulnerability affecting EPMM (MobileIron Core) running outdated versions (11.2 and below) [1,2]. On August 7, Ivanti added more recent and supported versions on the list of affected products.</p><p>The vulnerability tracked as <strong>CVE-2023-35082</strong> with as CVSS score of 10 out of 10, is <strong>actively exploited</strong> and allows an unauthorised, remote actor to potentially access users personally identifiable information and make limited changes to the server. [1]. Ivanti has released security patches [1] addressing this vulnerability. This vulnerability is different from <strong>CVE-2023-35078</strong> [3] and <strong>CVE-2023-35081</strong> [4].</p><h2 id=\"technical-details\">Technical Details</h2><p><strong>CVE-2023-35082</strong> enables an unauthorised, remote actor to potentially access users personally identifiable information and make limited changes to the server by accessing non-restricted API endpoints, namely <code>/mifs/asfV3/api/v2/*</code>.</p><h2 id=\"affected-products\">Affected Products</h2><p>Ivanti reports the vulnerability impacts the following versions of Ivanti Endpoint Manager Mobile (EPMM):</p><ul><li>Endpoint Manager Mobile 11.10</li><li>Endpoint Manager Mobile 11.9</li><li>Endpoint Manager Mobile 11.8</li><li>MobileIron Core 11.7 and below</li></ul><p>Note that <strong>older versions/releases are also at risk</strong> (MobileIron Core 11.2 has been out of support since March 15, 2022).</p><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU strongly recommends reviewing Ivanti's security advisory [2] and upgrading affected systems to avoid potential exploitation of this vulnerability.</p><p>CERT-EU also recommends reviewing the http access logs (<code>http-access_log</code>), available in the <code>/var/log/httpd/</code> folder in order to check for requests targeting the API endpoint containing <code>/mifs/asfV3/api/v2/</code> in the path. Requests with an HTTP response code of 200 would indicate successful attempts while blocked exploitation attempts will show an HTTP response code of either 401 or 403.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older?language=en_US\">https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older?language=en_US</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.rapid7.com/blog/post/2023/08/02/cve-2023-35082-mobileiron-core-unauthenticated-api-access-vulnerability/\">https://www.rapid7.com/blog/post/2023/08/02/cve-2023-35082-mobileiron-core-unauthenticated-api-access-vulnerability/</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.cert.europa.eu/static/security-advisories/CERT-EU-SA2023-053.pdf\">https://www.cert.europa.eu/static/security-advisories/CERT-EU-SA2023-053.pdf</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.cert.europa.eu/static/security-advisories/CERT-EU-SA2023-055.pdf\">https://www.cert.europa.eu/static/security-advisories/CERT-EU-SA2023-055.pdf</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}