CVE-2023-35082: Unauthenticated API Access Vulnerability in MobileIron Core
CVE-2023-35082 is a critical vulnerability that allows access to APIs in older versions of MobileIron Core
Ivanti is having a tough time as another critical vulnerability has been reported after the latest incident. This time, it’s the CVE-2023-35082 vulnerability, which affects older and unsupported versions of MobileIron Core.
MobileIron Core is an unsupported product used for managing mobile devices such as phones and tablets.
CVE-2023-35082 allows unauthenticated attackers to access the API in older versions of MobileIron Core (11.2 and earlier). This means a cybercriminal could gain access to API endpoints on the exposed management server without the need for authentication. With this access, an attacker could potentially disclose personal data or make modifications to the platform. Furthermore, the attacker could chain it with CVE-2023-35081, increasing the risk and severity of the attack.
Key Features
- CVE Identifier: CVE-2023-35082
- CVSS Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
- Publication Date: 08/02/2023
- Affected Software: MobileIron Core
- Vulnerable Versions: MobileIron Core 11.2 and prior
It’s important to note that this vulnerability stems from a similar issue, the permissive nature of certain entries in the security filter chain of the web application. This makes it a patch bypass for another vulnerability, CVE-2023-35078, affecting versions 11.2 and earlier of the product.
Mitigation and Recommendations
Ivanti has issued a statement regarding this vulnerability. However, since MobileIron Core 11.2 is no longer supported since March 15, 2022, there won’t be a patch provided for this vulnerability or earlier versions. The best solution is to migrate to the latest version of Ivanti Endpoint Manager Mobile (EPMM).
Indicators of Compromise
Rapid7, the company behind the discovery, has provided indicators of compromise to detect possible exploitation attempts of this vulnerability. The Apache HTTP logs stored on the device may contain the following entries:
- /var/log/httpd/https-access_log
- Example: 192.168.86.34:61736 – 2023-07-28–15-24-51 “GET /mifs/asfV3/api/v2/ping HTTP/1.1” 200 68 “-” “curl/8.0.1” 3285
- /var/log/httpd/https-request_log
- Example: 2023-07-28–15-24-51 192.168.86.34 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 “GET /mifs/asfV3/api/v2/ping HTTP/1.1” 68 “-” “curl/8.0.1”
It’s crucial for system administrators to be vigilant about these log entries to detect suspicious activities and possible exploitation attempts.
As part of its emerging vulnerabilities service, Tarlogic Security proactively monitors its clients’ perimeter to inform, detect, and notify the presence of this vulnerability and other critical threats that could have a severe impact on security.