Ivanti plugs critical bug – but not before it was used against Norwegian government

A critical security flaw in Ivanti's mobile endpoint management code was exploited and used to compromise 12 Norwegian government agencies before the vendor plugged the hole.

On Monday, the US government's Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-35078 to its Known Exploited Vulnerabilities Catalog that should be urgently patched.

CISA did not immediately respond to The Register's inquiries about whether any US government agencies or corporations have been compromised via the hole.

After initially taking down an advisory with details about the bug, and then hiding the advisory behind a paywall, on Tuesday Ivanti finally posted a public-facing security alert about CVE-2023-35078 – a remote authentication bypass vulnerability, which received a nastily perfect 10 out of 10 CVSS severity rating. 

A knowledge-base article with "detailed information on how to access and apply the remediations" remained behind a paywall as of Tuesday afternoon.

According to the details made public by the vendor, the flaw affects all supported versions (11.10, 11.9, and 11.8) of Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core – and older, end-of-life releases are also at risk, the developer said. Ivanti issued patches for 11.8.1.1, 11.9.1.1, and 11.10.0.2.

"If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users' personally identifiable information and make limited changes to the server," according to the alert. "We have received information from a credible source indicating exploitation has occurred."

Ivanti said it will continue working with clients and partners to investigate, and added it is aware of only a "very limited number of customers" that have been compromised. We're sure that's a comfort to them.

Behind the curtain

A spokesperson for the software maker told The Register it was informed of the security flaw late last week by said "credible source," and made the patch available to customers on Sunday.  

"We immediately investigated, developed the patch, and released it to customers within days of notification, and are actively engaging with customers to help them apply the fix," the spokesperson said. 

The spinner declined to answer specific questions about how many customers were compromised. The reasoning behind delaying the public disclosure, we're told, was to protect clients and give them time to mitigate the issue. 

"Because of the potential for exploitation, and at the request of our customers and partners, we provided extra time for our customers to apply the patch before information on the vulnerability was public," the rep told us.

"Our customers' security is our top priority, and with threat actors continuing to mature their tactics, we are upholding our commitment to deliver and maintain secure products, while practicing responsible disclosure protocols."

Additionally, the spinner denied reports that Ivanti forced customers to sign a non-disclosure agreement specifically about this vulnerability, though said its security updates are typically shared confidentially. So it's not so much being forced as it being standard procedure.

"We do not ask for our customers to sign an NDA," the spokesperson said. "Our materials are subject to confidentiality and TLP because we don't want to make it easier for the exploitation to get out."

(TLP being a protocol for describing how widely, or not, stuff can be shared.)

Ivanti also declined to discuss who was behind the exploitation nor what their motivations may be. 

"What we can say is that threat actors continue to mature their tactics, balancing dogged persistence and patience with sophisticated use of exploits, tools and emerging technologies," the representative added. 

Norwegian government harpooned

We do, however, know that a European government was one of the victims.

On Monday, Norway's national security officials revealed they had spotted a "data attack" affecting a software platform used by almost all of the country's government agencies except for the prime minister's office, the Ministry of Defense, the Ministry of Justice and Emergency Preparedness, and the Ministry of Foreign Affairs.  

"We have uncovered a previously unknown vulnerability in the software of one of our suppliers," Erik Hope, director of the Departments' Security and Service Organization (DSS), said during a press conference.

"This vulnerability has been exploited by an unknown actor," Hope continued. "We have now closed this vulnerability. It is too early to say anything about who is behind it and the extent of the attack."

Police are investigating the intrusion, and Norway's Data Protection Authority has been notified, the officials added. This – and the fact that the country's security officials described it as a "data attack" – suggests some government agency information was stolen, or at least accessed in some way, during the intrusion.

Later in the day, Norway disclosed the software that had been exploited was Ivanti's EPMM.

• Quick: Manually patch this Zimbra bug that's under attack
• MOVEit body count closes in on 400 orgs, 20M+ individuals
• Stolen Microsoft key may have opened up a lot more than US govt email inboxes
• 'No peeing towards Russia' sign appears on country's Arctic border with Norway

The country's National Security Authority (the other NSA) said it waited until Ivanti's patch was generally available before naming the software. 

"This vulnerability was unique, and was discovered for the very first time here in Norway," other-NSA director Sofie Nystrøm said in a statement. "If we had released the information about the vulnerability too early, it could have contributed to it being misused elsewhere in Norway and in the rest of the world."

While Norway hasn't indicated who was responsible for the attack, it's worth noting that the NATO member has pledged billions of dollars in aid to Ukraine as the latter defends itself against Russia's invasion.

Norway is also Europe's largest supplier of natural gas, and its fuel exports are largely replacing embargoed Russian fuel on the continent. ®