CVE-2023-35082: Critical Security Vulnerability in MobileIron Core
IT software company Ivanti has disclosed a new critical security vulnerability in its MobileIron Core mobile device management software. Tagged as CVE-2023-35082, this vulnerability is not to be taken lightly. In fact, it scored the maximum 10 points on the Common Vulnerability Scoring System (CVSS). This measurement indicates an exceptionally hazardous flaw that requires immediate attention. The flaw is specifically a remote unauthenticated API access vulnerability, impacting MobileIron Core version 11.2 and older.
The cybersecurity company Rapid7 is responsible for unearthing this potentially calamitous issue. They found that the flaw gives unauthenticated attackers the opportunity to access the API in older, unsupported versions of MobileIron Core, specifically version 11.2 and those preceding it.
The implications of this vulnerability are disturbing. “If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server,” Ivanti warned in an advisory released on August 2, 2023.
Stephen Fewer, a security researcher from Rapid7, connected the dots between this flaw and another one tagged as CVE-2023-35078. Both vulnerabilities originate from a permissive security filter chain in the mifs web application. Successful exploitation of the flaw paves the way for attackers to access the personal information of mobile device users. Moreover, it allows them to introduce a backdoor to compromised servers, by deploying web shells, particularly when this bug is chained with other vulnerabilities.
However, Ivanti has made it clear that they will not release security patches for the CVE-2023-35082 flaw. The reason behind this decision is that the flaw has been addressed in newer versions of their product. The company’s solution has been rebranded as Endpoint Manager Mobile (EPMM).
Ivanti issued a statement explaining, “MobileIron Core 11.2 has been out of support since March 15, 2022. Therefore, Ivanti will not be issuing a patch or any other remediations to address this vulnerability in 11.2 or earlier versions. Upgrading to the latest version of Ivanti Endpoint Manager Mobile (EPMM) is the best way to protect your environment from threats.”
The company reassures its customers that the vulnerability does not affect any version of Ivanti Endpoint Manager or MobileIron Core 11.3 and above, or Ivanti Neurons for MDM. In addition, Ivanti’s support team is ready and willing to assist customers with the upgrade process.
So, for businesses still using MobileIron Core 11.2 or earlier, the path forward is clear: upgrade to Ivanti’s latest solution, EPMM. Proactivity in the face of vulnerabilities like CVE-2023-35082 is not just recommended—it’s crucial.