<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2023-35078 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2023-35078/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2023-35078/feed.xml" rel="self" type="application/rss+xml"/><item><title>Ivanti EPMM Unauthenticated API Access via CVE-2023-35078</title><link>https://feed.craftedsignal.io/briefs/2024-01-ivanti-epmm-cve-2023-35078/</link><pubDate>Wed, 03 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-ivanti-epmm-cve-2023-35078/</guid><description>Exploitation of CVE-2023-35078 in Ivanti EPMM allows unauthenticated remote API access, potentially leading to data theft, unauthorized modifications, or further system compromise.</description><content:encoded><![CDATA[<p>CVE-2023-35078 is a critical vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM) versions up to 11.4. This vulnerability allows unauthenticated remote API access, enabling attackers to bypass authentication and access sensitive data and functionalities. Publicly available proof-of-concept (POC) exploits exist, increasing the risk of widespread exploitation. Successful exploitation can result in unauthorized access to user data, system configuration, and other sensitive resources managed by the EPMM server. The vulnerability has been actively exploited in the wild, posing a significant threat to organizations using affected Ivanti EPMM versions. Defenders should prioritize patching and implement detection measures to identify and prevent exploitation attempts.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies an Ivanti EPMM server running a vulnerable version (&lt;= 11.4).</li>
<li>The attacker sends a crafted HTTP request to the <code>/mifs/aad/api/v2/authorized/users?*</code> endpoint without authentication.</li>
<li>The vulnerable EPMM server processes the request without proper authentication checks.</li>
<li>The server responds with a 200 OK status code, indicating successful access to the API endpoint.</li>
<li>The attacker leverages the unauthorized API access to enumerate authorized users.</li>
<li>Using enumerated user information, the attacker gains access to sensitive data and system configurations.</li>
<li>The attacker may modify system configurations, install malicious software, or exfiltrate sensitive data.</li>
<li>The attacker achieves full system compromise and potentially pivots to other internal systems.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2023-35078 can have severe consequences, including unauthorized access to sensitive data, modification of system configurations, and potential installation of malware. This can lead to data breaches, financial losses, and reputational damage. While specific victim counts are unavailable in the provided source, the widespread use of Ivanti EPMM suggests a broad potential impact across various sectors. The ability to remotely access and control EPMM servers without authentication makes this a highly critical vulnerability.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule <code>Detect Ivanti EPMM CVE-2023-35078 API Access</code> to your SIEM to detect unauthorized access attempts to the vulnerable API endpoint.</li>
<li>Monitor web server logs for HTTP requests to the <code>/mifs/aad/api/v2/authorized/users?*</code> endpoint with a 200 status code, as indicated by the IOC <code>*/mifs/aad/api/v2/authorized/users?*</code>.</li>
<li>Investigate any alerts generated by the Sigma rule or observed suspicious activity in web server logs promptly.</li>
<li>Refer to the Ivanti advisory (<a href="https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US">https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US</a>) for patching and mitigation guidance.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">threat</category><category>ivanti</category><category>epmm</category><category>cve-2023-35078</category><category>unauthenticated-access</category></item></channel></rss>