Ivanti disclosed and patched a second bug affecting its Endpoint Manager Mobile (EPMM) software, just days after releasing patches for a critical severity zero-day flaw impacting the same product.
Both vulnerabilities are being actively exploited by threat actors and EPMM users are being urged to apply the available patches as soon as possible.
It was revealed last week the earlier bug (tracked as CVE-2023-35078 and with a maximum-possible CVSS v3 rating of 10) was exploited in an attack against a dozen ministries within the Norwegian government.
Ivanti’s EPMM solution is a widely used mobile management software engine that enables IT departments to set policies for mobile devices, applications, and content. It counts government agencies around the world amongst its users, including a number in the U.S.
The newly identified bug (tracked as CVE-2023-35081) is a path traversal vulnerability with a CVSS v3 rating of 7.2 that allows an attacker to write arbitrary files onto the appliance.
In an advisory published on Friday, Ivanti said the new vulnerability impacted all versions of EPMM (previously known as MobileIron Core) and it was “critical” that users took immediate action to remediate their instances.
“This vulnerability can be used in conjunction with CVE-2023-35078, bypassing administrator authentication and ACLs (access control list) restrictions (if applicable)” Ivanti said.
The company thanked cybersecurity firm Mnemonic for its assistance in identifying the new vulnerability. In a blog post, Mnemonic said remote file write vulnerabilities “pose serious threats to system security” and “could potentially lead to a broad spectrum of attacks, including data breaches and system takeovers”.
The Mnemonic researchers said they had observed the new EPMM vulnerability being exploited in combination with CVE-2023-35078 to write Java server pages and Java .class files to disk.
“These files were loaded into a running Apache Tomcat instance and enabled an external actor to run malicious java bytecode on the affected servers,” they said.
That was confirmed in the Ivanti advisory, which stated: “Successful exploitation can be used to write malicious files to the appliance, ultimately allowing a malicious actor to execute OS commands on the appliance as the tomcat user.”
Apache Tomcat is a popular open-source Java application server which was identified last week as being the target for attackers spreading Marai botnet malware.
In an alert published on Friday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also urged security teams to patch the vulnerabilities and said Ivanti had reported both CVE-2023-35081 and CVE-2023-35078 were being actively exploited.
The newly available patches for CVE-2023-35081 also include patches for CVE-2023-35078.
CISA said CVE-2023-35078 could be exploited on an unpatched system to gain EPMM administrator privileges, allowing them to then write arbitrary files with the operating system privileges of the web application server.
“The attacker could then execute the uploaded file, for example, a web shell,” the agency said.
Last week CISA added CVE-2023-35078 to its Known Exploited Vulnerabilities catalog and ordered all Federal Civilian Executive Branch government agencies to remediate the flow by August 15. The agency has not yet taken similar steps in regard to CVE-2023-35081.