Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Patches

Ivanti plugs critical bug – but not before it was used against Norwegian government

Uncle Sam warns sysadmins to get patching as soon as possible

Jessica Lyons Hardcastle Wed 26 Jul 2023  //  06:27 UTC

A critical security flaw in Ivanti's mobile endpoint management code was exploited and used to compromise 12 Norwegian government agencies before the vendor plugged the hole.

On Monday, the US government's Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-35078 to its Known Exploited Vulnerabilities Catalog that should be urgently patched.

CISA did not immediately respond to The Register's inquiries about whether any US government agencies or corporations have been compromised via the hole.

After initially taking down an advisory with details about the bug, and then hiding the advisory behind a paywall, on Tuesday Ivanti finally posted a public-facing security alert about CVE-2023-35078 – a remote authentication bypass vulnerability, which received a nastily perfect 10 out of 10 CVSS severity rating. 

A knowledge-base article with "detailed information on how to access and apply the remediations" remained behind a paywall as of Tuesday afternoon.

According to the details made public by the vendor, the flaw affects all supported versions (11.10, 11.9, and 11.8) of Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core – and older, end-of-life releases are also at risk, the developer said. Ivanti issued patches for 11.8.1.1, 11.9.1.1, and 11.10.0.2.

"If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users' personally identifiable information and make limited changes to the server," according to the alert. "We have received information from a credible source indicating exploitation has occurred."

Ivanti said it will continue working with clients and partners to investigate, and added it is aware of only a "very limited number of customers" that have been compromised. We're sure that's a comfort to them.

Behind the curtain

A spokesperson for the software maker told The Register it was informed of the security flaw late last week by said "credible source," and made the patch available to customers on Sunday.  

"We immediately investigated, developed the patch, and released it to customers within days of notification, and are actively engaging with customers to help them apply the fix," the spokesperson said. 

The spinner declined to answer specific questions about how many customers were compromised. The reasoning behind delaying the public disclosure, we're told, was to protect clients and give them time to mitigate the issue. 

"Because of the potential for exploitation, and at the request of our customers and partners, we provided extra time for our customers to apply the patch before information on the vulnerability was public," the rep told us.

"Our customers' security is our top priority, and with threat actors continuing to mature their tactics, we are upholding our commitment to deliver and maintain secure products, while practicing responsible disclosure protocols."

Additionally, the spinner denied reports that Ivanti forced customers to sign a non-disclosure agreement specifically about this vulnerability, though said its security updates are typically shared confidentially. So it's not so much being forced as it being standard procedure.

"We do not ask for our customers to sign an NDA," the spokesperson said. "Our materials are subject to confidentiality and TLP because we don't want to make it easier for the exploitation to get out."

(TLP being a protocol for describing how widely, or not, stuff can be shared.)

Ivanti also declined to discuss who was behind the exploitation nor what their motivations may be. 

"What we can say is that threat actors continue to mature their tactics, balancing dogged persistence and patience with sophisticated use of exploits, tools and emerging technologies," the representative added. 

Norwegian government harpooned

We do, however, know that a European government was one of the victims.

On Monday, Norway's national security officials revealed they had spotted a "data attack" affecting a software platform used by almost all of the country's government agencies except for the prime minister's office, the Ministry of Defense, the Ministry of Justice and Emergency Preparedness, and the Ministry of Foreign Affairs.  

"We have uncovered a previously unknown vulnerability in the software of one of our suppliers," Erik Hope, director of the Departments' Security and Service Organization (DSS), said during a press conference.

"This vulnerability has been exploited by an unknown actor," Hope continued. "We have now closed this vulnerability. It is too early to say anything about who is behind it and the extent of the attack."

Police are investigating the intrusion, and Norway's Data Protection Authority has been notified, the officials added. This – and the fact that the country's security officials described it as a "data attack" – suggests some government agency information was stolen, or at least accessed in some way, during the intrusion.

Later in the day, Norway disclosed the software that had been exploited was Ivanti's EPMM.

The country's National Security Authority (the other NSA) said it waited until Ivanti's patch was generally available before naming the software. 

"This vulnerability was unique, and was discovered for the very first time here in Norway," other-NSA director Sofie Nystrøm said in a statement. "If we had released the information about the vulnerability too early, it could have contributed to it being misused elsewhere in Norway and in the rest of the world."

While Norway hasn't indicated who was responsible for the attack, it's worth noting that the NATO member has pledged billions of dollars in aid to Ukraine as the latter defends itself against Russia's invasion.

Norway is also Europe's largest supplier of natural gas, and its fuel exports are largely replacing embargoed Russian fuel on the continent. ®
Send us news
5 Comments

Five Eyes nations warn Moscow's mates at the Star Blizzard gang have new phishing targets

The Russians are coming! Err, they've already infiltrated UK, US inboxes

Uncle Sam probes cyberattack on Pennsylvania water system by suspected Iranian crew

CISA calls for stronger IT defenses as Texas district also hit by ransomware crew

2.5M patients infected with data loss in Norton Healthcare ransomware outbreak

AlphV lays claims to the intrusion

Fancy Bear goes phishing in US, European high-value networks

GRU-linked crew going after our code warns Microsoft - Outlook not good

Hershey phishes! Crooks snarf chocolate lovers' creds

Stealing Kit Kat maker's data?! Give me a break

Scores of US credit unions offline after ransomware infects backend cloud outfit

Supply chain attacks: The gift that keeps on giving

Interpol moves against human traffickers who enslave people to scam you online

Scum lure folks with promises of good jobs in crypto and then won't let them leave

Belgian man charged with smuggling sanctioned military tech to Russia and China

Indictments allege plot to shift FPGAs, accelerometers, and spycams

Rogue ex-Motorola techie admits cyberattack on former employer, passport fraud

Pro tip: Don't use your new work email to phish your old firm

'Serial cybercriminal and scammer' jailed for 8 years, told to pay back $1.2M

Crook did everything from SIM swaps to fake verified badge scams

BlackBerry squashes plan to spin out its IoT biz

Board and incoming CEO decide reorganizing is better than splitting

Dump C++ and in Rust you should trust, Five Eyes agencies urge

Memory safety vulnerabilities need to be crushed with better code