All versions of Ivanti product affected by vulnerability used in Norway gov’t attack

IT giant Ivanti said on Monday that several recently-discovered vulnerabilities affect all versions of their Endpoint Manager Mobile (EPMM) tool.

EPMM, formerly MobileIron Core, is a platform that allows organizations to manage mobile devices like phones and tablets as well as enforce content and application policies.

Two weeks ago, the government of Norway revealed that 12 government agencies in the country had been hacked through several zero-days affecting EPMM.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Norway’s government published an advisory about the vulnerabilities last week, noting that nation state hackers had been exploiting them since April. But just two days after that advisory, Ivanti announced a third issue: CVE-2023-35082.

The vulnerability “enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server,” they explained, noting it has a CVSS score of 10 — the highest level of severity for a vulnerability.

Ivanti initially said the bug only affected MobileIron Core 11.2 and earlier. But in an updated advisory on Monday, the company said the vulnerability affects all versions.

“Since originally reporting CVE-2023-35082… Ivanti has continued its investigation and has found that this vulnerability impacts all versions of Ivanti Endpoint Manager Mobile 11.10, 11.9 and 11.8 and MobileIron Core 11.7 and below,” the company said.

“The risk of exploitation depends on the individual customer’s configurations. This vulnerability only impacts EPMM / MobileIron Core. No other Ivanti products are affected. Ivanti has an RPM Fix for versions 11.10 to 11.3 available now. Customers on older versions should first upgrade to 11.10 and then apply the RPM fix.”

The bug was discovered by Stephen Fewer, principal security researcher at security firm Rapid7, while examining CVE-2023-35078, the first issue found affecting Ivanti’s EPMM product.

MobileIron was originally its own company before being bought by Ivanti in 2020 and rebranded as EPMM

According to searches on the security website Shodan, thousands of organizations are still exposed to the Ivanti vulnerabilities, many of which are located in the U.S. CISA added the first two bugs to its catalog of Known Exploited Vulnerabilities, giving federal civilian agencies until August 21 to patch it.