Updated 03.08.2023: Find updates at end of advisory

 

We have been working together with Ivanti to disclose and patch the vulnerability, which is being tracked as CVE-2023-35081. The vulnerability has received a CVSS score of 7.2, meaning its severity is categorised as high.

Remote File Write (RFW) vulnerabilities pose serious threats to system security.

The vulnerability: CVE-2023-35081

A Remote File Write vulnerability is a type of security flaw that allows an attacker to create, modify, or delete files on a victim's system remotely. This could potentially lead to a broad spectrum of attacks, including data breaches and system takeovers.

We have observed this exploit being used in combination with CVE-2023-35078 to write JSP and Java .class files to disk.

These files were loaded into a running Apache Tomcat instance and enabled an external actor to run malicious java bytecode on the affected servers.

Affected Systems

Ivanti reports the vulnerability impacts all supported versions of Ivanti Endpoint Manager Mobile (EPMM) – Version 11.4 releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk.

Recommendations

Follow the recommendations of CVE-2023-35078, and have a look in your logs for the vulnerable path mention in the last advisory.

Patch your Ivanti EPMM instance and follow Ivanti recommendations.

Are you in need of more information to evaluate whether your systems are at risk, feel free to reach out.

Detection coverage for mnemonic Managed Detection and Response (MDR) customers

mnemonic has deployed a detection rule specifically for this CVE.

 

Updates

03.08.2023

The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) have released a joint Cybersecurity Advisory (CSA) “Threat Actors Exploiting Ivanti EPMM Vulnerabilities” [CISA advisory | NCSC-NO advisory] in response to active exploitation of CVE-2023-35078 and CVE-2023-35081. The advisory includes a list of indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs).

CISA added both CVE-2023-35078 and CVE-2023-35081 to its Known Exploited Vulnerabilities Catalog.