Ivanti endpoint security needs security upgrade

By

Older MobileIron appliances had exploitable API.

Ivanti, which last week had to move on a vulnerability in its Endpoint Manager Mobile (EMM) product, has disclosed a new bug in the product.

Ivanti endpoint security needs security upgrade

As detailed by Rapid7, CVE-2023-35082 acts as a bypass for a patch in the previously-released CVE-2023-35078.

Both are vulnerabilities in access to the EMM (formerly Mobileiron Core) API, allowing unauthorised, remote attackers to access users’ personal information and “make limited changes to the server”, Ivanti’s notice states.

The latest vulnerability has a CVSS score of 10, the maximum possible.

Since the affected versions, Mobileiron 11.2 and prior, are out of support, Ivanti recommends affected users upgrade to the latest version of EMM.

Rapid7 said the vulnerability arises because a web application on the appliance had "permissive" entries in its security filter chain.

The vulnerability lets an attacker access the API endpoints on an exposed management server, Rapid7 said. 

“An attacker can use these API endpoints to perform a multitude of operations as outlined in the official API documents, including the ability to disclose personally identifiable information (PII) and perform modifications to the platform."

A previously-patched bug, CVE-2023-35081, has a lower CVSS score of 7.2 – but it allows an authenticated attacker to write malicious files to the appliance.

Rapid7 explained: “CVE-2023-35081 could be chained with CVE-2023-35082 to allow an attacker to write malicious webshell files to the appliance, which may then be executed by the attacker.”

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
ivantimobileironrapid7security

Sponsored Whitepapers

Transforming Your Business
Transforming Your Business
Operational Excellence Through System Modernisation
Operational Excellence Through System Modernisation
The Complete Cloud Security Buyer's Guide
The Complete Cloud Security Buyer's Guide
The Complete MDR Buyer's Guide
The Complete MDR Buyer's Guide
Responding To Industry Trends And Our 5m+ Users
Responding To Industry Trends And Our 5m+ Users

Events

Most Read Articles

ATO attackers filed $557 million in false claims

ATO attackers filed $557 million in false claims
Russian court jails cyber security executive for 14 years

Russian court jails cyber security executive for 14 years
Cloud company assisted 17 different government hacking groups

Cloud company assisted 17 different government hacking groups
Google handed user data to Aus authorities 5525 times last year

Google handed user data to Aus authorities 5525 times last year

Digital Nation

Health tech startup Kismet raises $4m in pre-seed funding
Health tech startup Kismet raises $4m in pre-seed funding
COVER STORY: What AI regulation might look like in Australia
COVER STORY: What AI regulation might look like in Australia
DeepAI founder on the risks of artificial intelligence
DeepAI founder on the risks of artificial intelligence
More than half of loyalty members concerned about their data
More than half of loyalty members concerned about their data
How eBay uses interaction analytics to improve CX
How eBay uses interaction analytics to improve CX

Log In

  |  Forgot your password?