Ivanti plugs critical bug – but not before it was used against Norwegian government

Trending 2 months ago

A captious information flaw successful Ivanti's mobile endpoint guidance codification was exploited and utilized to discuss 12 Norwegian authorities agencies before nan vendor plugged nan hole.

On Monday, nan US government's Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-35078 to its Known Exploited Vulnerabilities Catalog that should beryllium urgently patched.

CISA did not instantly respond to The Register's inquiries astir whether immoderate US authorities agencies aliases corporations person been compromised via nan hole.

After initially taking down an advisory pinch specifications astir nan bug, and past hiding nan advisory down a paywall, connected Tuesday Ivanti yet posted a public-facing information alert astir CVE-2023-35078 – a distant authentication bypass vulnerability, which received a nastily cleanable 10 retired of 10 CVSS severity rating. 

A knowledge-base article pinch "detailed accusation connected really to entree and use nan remediations" remained down a paywall arsenic of Tuesday afternoon.

According to nan specifications made nationalist by nan vendor, nan flaw affects each supported versions (11.10, 11.9, and 11.8) of Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core – and older, end-of-life releases are besides astatine risk, nan developer said. Ivanti issued patches for,, and

"If exploited, this vulnerability enables an unauthorized, distant (internet-facing) character to perchance entree users' personally identifiable accusation and make constricted changes to nan server," according to nan alert. "We person received accusation from a reliable root indicating exploitation has occurred."

Ivanti said it will proceed moving pinch clients and partners to investigate, and added it is alert of only a "very constricted number of customers" that person been compromised. We're judge that's a comfortableness to them.

Behind nan curtain

A spokesperson for nan package shaper told The Register it was informed of nan information flaw precocious past week by said "credible source," and made nan spot disposable to customers connected Sunday.  

"We instantly investigated, developed nan patch, and released it to customers wrong days of notification, and are actively engaging pinch customers to thief them use nan fix," nan spokesperson said. 

The spinner declined to reply circumstantial questions astir really galore customers were compromised. The reasoning down delaying nan nationalist disclosure, we're told, was to protect clients and springiness them clip to mitigate nan issue. 

"Because of nan imaginable for exploitation, and astatine nan petition of our customers and partners, we provided other clip for our customers to use nan spot earlier accusation connected nan vulnerability was public," nan rep told us.

"Our customers' information is our apical priority, and pinch threat actors continuing to mature their tactics, we are upholding our committedness to present and support unafraid products, while practicing responsible disclosure protocols."

Additionally, nan spinner denied reports that Ivanti forced customers to motion a non-disclosure statement specifically astir this vulnerability, though said its information updates are typically shared confidentially. So it's not truthful overmuch being forced arsenic it being modular procedure.

"We do not inquire for our customers to motion an NDA," nan spokesperson said. "Our materials are taxable to confidentiality and TLP because we don't want to make it easier for nan exploitation to get out."

(TLP being a protocol for describing really widely, aliases not, worldly tin beryllium shared.)

Ivanti besides declined to talk who was down nan exploitation nor what their motivations whitethorn be. 

"What we tin opportunity is that threat actors proceed to mature their tactics, balancing dogged persistence and patience pinch blase usage of exploits, devices and emerging technologies," nan typical added. 

Norwegian authorities harpooned

We do, however, cognize that a European authorities was 1 of nan victims.

On Monday, Norway's nationalist information officials revealed they had spotted a "data attack" affecting a package level utilized by almost each of nan country's authorities agencies isolated from for nan premier minister's office, nan Ministry of Defense, nan Ministry of Justice and Emergency Preparedness, and nan Ministry of Foreign Affairs.  

"We person uncovered a antecedently chartless vulnerability successful nan package of 1 of our suppliers," Erik Hope, head of nan Departments' Security and Service Organization (DSS), said during a property conference.

"This vulnerability has been exploited by an chartless actor," Hope continued. "We person now closed this vulnerability. It is excessively early to opportunity thing astir who is down it and nan grade of nan attack."

Police are investigating nan intrusion, and Norway's Data Protection Authority has been notified, nan officials added. This – and nan truth that nan country's information officials described it arsenic a "data attack" – suggests immoderate authorities agency accusation was stolen, aliases astatine slightest accessed successful immoderate way, during nan intrusion.

Later successful nan day, Norway disclosed nan package that had been exploited was Ivanti's EPMM.

  • Quick: Manually spot this Zimbra bug that's nether attack
  • MOVEit assemblage count closes successful connected 400 orgs, 20M+ individuals
  • Stolen Microsoft cardinal whitethorn person opened up a batch much than US govt email inboxes
  • 'No peeing towards Russia' motion appears connected country's Arctic separator pinch Norway

The country's National Security Authority (the different NSA) said it waited until Ivanti's spot was mostly disposable earlier naming nan software. 

"This vulnerability was unique, and was discovered for nan very first clip present successful Norway," other-NSA head Sofie Nystrøm said successful a statement. "If we had released nan accusation astir nan vulnerability excessively early, it could person contributed to it being misused elsewhere successful Norway and successful nan remainder of nan world."

While Norway hasn't indicated who was responsible for nan attack, it's worthy noting that nan NATO personnel has pledged billions of dollars successful aid to Ukraine arsenic nan second defends itself against Russia's invasion.

Norway is besides Europe's largest supplier of earthy gas, and its substance exports are mostly replacing embargoed Russian substance connected nan continent. ®