Ivanti Endpoint Manager Mobile Flaws Could Allow Device Impersonation and Certificate Theft

CVE-2023-39335

On November 9, 2023, Ivanti, a renowned name in the realm of enterprise software, unveiled two critical vulnerabilities, CVE-2023-39335 and CVE-2023-39337, in its Endpoint Manager Mobile (formerly MobileIron Core). These vulnerabilities pose significant risks to all versions of this widely used enterprise mobility management solution.

CVE-2023-39335

CVE-2023-39335 – Authenticated User enroll as another user vulnerability

CVE-2023-39335, assigned a CVSS score of 8.5, presents a scenario where an authenticated user (with an enrolled device) can enroll another device under a different EPMM user’s profile. For successful exploitation, the attacker requires additional information, potentially obtained by monitoring TLS traffic, to identify and impersonate the targeted user. This vulnerability exposes a critical loophole in device management and security protocols.

CVE-2023-39337 – Authenticated user obtain certificate for another user vulnerability

The second vulnerability, CVE-2023-39337, scores 6.8 on the CVSS scale. It enables an authenticated user to acquire a valid certificate for another EPMM user, following a similar attack pattern as CVE-2023-39335. Here, the risk lies in the unauthorized access to digital certificates, a cornerstone of secure communication in enterprise environments.

Exploiting these vulnerabilities could be particularly damaging in scenarios involving a physically stolen device, insider threats with valid user certificates, or systems with open enrollment policies. An adept attacker could potentially use these vulnerabilities in tandem, impersonating an authenticated user to:

  1. Obtain a valid certificate for another EPMM user (CVE-2023-39337).
  2. Enroll a device for another EPMM user (CVE-2023-39335).

These actions could allow unauthorized access to resources protected by Sentry, Ivanti’s gateway for securing mobile device access. However, the sophistication required for such an attack chain indicates that only highly skilled threat actors would likely attempt this exploit.

The vulnerabilities impact all supported versions of EPMM, including Versions 11.10, 11.9, and 11.8, as well as Sentry Versions 9.18, 9.17, and 9.16. It’s crucial to note that older versions are equally vulnerable, highlighting the widespread potential impact across numerous enterprise environments.

In response to these findings, Ivanti has swiftly released patches to mitigate these vulnerabilities. These are included in the EPMM (Core) releases 11.10.0.4, 11.11.0.2, and 11.12.0.0. For organizations using Ivanti’s solutions, updating to these versions is not just recommended; it’s imperative for maintaining the integrity of their mobile device management and security frameworks.