About the issue at hand, after disclosing active exploitation of CVE-2023-35081 and CVE-2023-35078 by -2023 by what appears to be state-sponsored APT (Advanced Persistent Threat) groups, Ivanti has been trying to get things under control for MobileIron. This has included rolling out a fix for a pair of buffer overflow flaws tracked as CVE-2023-32560. This is a lot to deal with in a very short period of time and considering that the vulnerabilities ran the gamut of Authentication Bypasses, to directory transversal, to buffer overflows with RCE potential they are nothing to be taken lightly.
The most recently exploited flaw takes us to the API authentication process. Tracked as CVE-2023-38035, this flaw ais in the MobileIron Configuration Service (MICS) over port 8443. It allows an unauthenticated attacker to gain access due to lax restrictions in Apache HTTPD configuration. Once an attacker has successfully exploited this flaw they can execute system commands, change configurations, and write files. CVE-2023-38034 affects Ivanti Sentry version 9.18 and earlier.
As a mitigation step (prior to patching) Ivanti is advising clients to limit access to MICS internally and prevent all access from the internet (as it should already be). The good news, if you can call it that, is that this new flaw does not seem to affect Ivanti EPMM, MobileIron Cloud, or Ivanti Neurons for MDM. The active exploitation of the new flaw also seems to be relatively limited in scope with Ivanti saying “As of now, we are only aware of a limited number of customers impacted by CVE-2023-38035.”
Ivanti has scripts available to fix the issue and recommends that clients upgrade to a “supported” version and then apply the RPM script for the version they are running on. Basically, patch now. This is the same advice that the US CISA is also giving for the two exploited 0-days (CVE-2023-35081 and CVE-2023-35078). In case you haven’t noticed the pattern… upgrade your Ivanti Sentry to a supported version, run the RPM script for your version, AND block access to MICS from the open internet, while limiting and monitoring access internally.
Again, taken independently each of the recent attacks on Enterprise Tools is concerning, viewed in combination we are looking at a return of attacks focused on toolsets, cloud providers, and MS(S)Ps. These targets are attractive because they allow a grater payoff for a lower cost. A 0-day in an MFT (as we saw with MoveIT and Citrix File Share, is going to net you hundreds if not thousands of victims. Traversing through MS(S)Ps grants you some serious access to downstream clients. We all know this, and the attackers do as well. None of this is new, it is just a return to old tactics at a time when security spending is getting cut and before regulations get put in place that require companies to actually show what is in their software and how vulnerable it may be. The next 6-10 months are going to be fun.