Servers containing Ivanti’s Endpoint Manager Mobile (EPMM) solution and therefore two vulnerabilities are mainly in possession of Western companies and governments. Patches are available, but cybersecurity specialists fear hackers already breached most networks. The story started when Norway discovered they had fallen victim to a hacking attack. The end of the story does not seem to be close.
Norway announced on July 24 that hackers had found an entry point to a software platform used by 12 Norwegian ministries through a zero-day. The same day, Ivanti announced that it was a zero-day in one of their products.
The zero-day CVE-2023-35078 occurred in the Endpoint Manager Mobile (EPMM) solution. With it, hackers can gain access to all versions of the Ivanti software without authentication. This includes unsupported and end-of-life releases of the software as well. They can then access personal data, such as names and phone numbers, held on the system via specific API paths. In addition to stealing personal data, the zero-day can be used to tamper with configurations. The hacker can control this remotely.
This said it is clear the zero-day allows a hacker to do some serious damage. Fortunately, Ivanti, in its admission of guilt, immediately provided a patch to fix the problem.
Zeroday on zeroday
The problems, however, did not appear to be solved. Four days later, Ivanti had to confess that the product had a second zero-day. Hackers could piece together the capabilities of both zero-days to bypass administrator authentication and ACL restrictions. That gives opportunities to create, modify and delete files.
However, the company did not appear very good at disclosing vulnerabilities. The software company received a lot of criticism from security experts when it tried to cover up the first vulnerability. A notice about the zero-day was visible only on a website that paid subscribers could access. It soon reversed this policy.
Mainly used in Western countries
Unit 42 researchers conducted further research into the potential impact of the vulnerability. It was already clear that Norwegian ministries were using the EPMM solution, but which other countries and sectors did the vulnerability affect?
On July 24, the day the zero-day was announced, a scan showed 5,500 vulnerable Ivanti EPMM servers. “The regional statistics from this scan indicate that more than 80 percent of these servers are located in Western countries,” the research report added. The servers are also deployed in various industries: local and national government agencies, healthcare, legal, universities, financial institutions, charities and retail.
Ivanti itself did not create the EPMM solution. They have been managing the solution since 2020, following an acquisition of MobileIron. According to Ivanti, this would primarily benefit the security of MobileIron’s solutions. The acquisition promised to make the products proactive, autonomous, self-healing and -securing devices, saving the IT department in a company a lot of work.
The security of such solutions is crucial in keeping personal data out of the hands of hackers. Cracking a mobile device management (MDM) product gives the hacker access to smartphones, laptops and tablets of all users connected to the product. In most cases, this will include all of a company’s employees.
Meanwhile, investigations continue. US-based CISA and the Norwegian National Cyber Security Centre (NCSC-NO) jointly published an advisory report on the situation and next steps on Aug. 2.
According to the study, the first signs of exploitation date as far back as April 2023. The advisory recommends examining all systems for possible signs of intrusion. CISA and the NCSC-NO fear that both zero-days were already exploited. There is a significant possibility the consequences of the vulnerabilities in Ivanti software may linger for a long time and may have damaged trust in the IT vendor.