Merge pull request #2801 from splunk/cve-2023-35082

Ivanti CVE-2023-35082

detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml

@@ -0,0 +1,60 @@
+name: Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
+id: e03edeba-4942-470c-a664-27253f3ad351
+version: 1
+date: '2023-08-08'
+author: Michael Haag, Splunk
+status: production
+type: TTP
+data_source: []
+description: 'The following analytic detects potential unauthorized access attempts exploiting CVE-2023-35082 within Ivantis software products. Initially assessed to affect only MobileIron Core versions up to 11.2, further insights revealed its influence extending to Ivanti Endpoint Manager Mobile (EPMM) versions 11.10, 11.9, 11.8, and MobileIron Core 11.7 and below. The vulnerability facilitates unauthorized API access via the specific URI path /mifs/asfV3/api/v2/. The analytic identifies this behavior by monitoring web access logs for this URI pattern coupled with a HTTP 200 response code, signifying successful unauthorized access. \
+  Such behavior is imperative for a Security Operations Center (SOC) to recognize, as it highlights potential security breaches which, if not addressed, could lead to unauthorized data access, system modifications, or further exploitation. In the event of a true positive, the implications are severe: an attacker might have gained unbridled access to sensitive organizational data or could modify systems maliciously. Be vigilant of potential false positives; benign activities might occasionally match the pattern. During triage, closely scrutinize the source of the access request and its subsequent actions. This analytic aids analysts in early threat detection, allowing for proactive risk mitigation.'
+search: '| tstats count min(_time) as firstTime max(_time)
+  as lastTime from datamodel=Web where Web.url IN ("/mifs/asfV3/api/v2/*") Web.status=200
+  by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype
+  | `drop_dm_object_name("Web")`
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` | `ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082_filter`'
+how_to_implement: To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products.
+known_false_positives: Similar to CVE-2023-35078, the path for exploitation indicates that status=200 is required for successful exploitation of the vulnerability. False positives may be present if status=200 is removed from the search.  If it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts.  Analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability.
+references:
+- https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older?language=en_US
+- https://github.com/vchan-in/CVE-2023-35078-Exploit-POC/blob/main/cve_2023_35078_poc.py
+- https://www.rapid7.com/blog/post/2023/08/02/cve-2023-35082-mobileiron-core-unauthenticated-api-access-vulnerability/
+tags:
+  analytic_story:
+  - Ivanti EPMM Remote Unauthenticated Access
+  asset_type: Web Server
+  cve:
+  - CVE-2023-35082
+  atomic_guid: []
+  confidence: 80
+  impact: 80
+  message: Potential CVE-2023-35082 against an Ivanti EPMM appliance on $dest$.
+  mitre_attack_id:
+  - T1190
+  - T1133
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 64
+  required_fields:
+  - _time
+  - Web.http_method
+  - Web.url
+  - Web.url_length
+  - Web.src
+  - Web.dest
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_CVE202335082.log
+    source: suricata
+    sourcetype: suricata
+

stories/ivanti_epmm_remote_unauthenticated_access.yml

@@ -1,10 +1,14 @@
 name: Ivanti EPMM Remote Unauthenticated Access
 id: 7e36ca54-c096-4a39-b724-6fc935164f0c
-version: 1
-date: '2023-07-31'
+version: 2
+date: '2023-08-08'
 author: Michael Haag, Splunk
-description: Ivanti, a leading technology company, has disclosed two critical zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) product, CVE-2023-35078 and CVE-2023-35081. The former allows unauthenticated attackers to obtain sensitive data and modify servers, while the latter lets authenticated administrators remotely write arbitrary files to the server. Both vulnerabilities have been exploited in targeted attacks against government ministries and could be used in conjunction. Organizations are urged to apply immediate patches, as the presence of PoC code for CVE-2023-35078 increases the risk of broader exploitation. While currently leveraged in limited attacks, exploitation is likely to rise, possibly involving state-sponsored actors.
-narrative: Ivanti's Endpoint Manager Mobile (EPMM) product has been discovered to have two critical zero-day vulnerabilities, CVE-2023-35078 and CVE-2023-35081. The former allows remote unauthenticated attackers to access sensitive data and make changes to servers, and has been exploited in targeted attacks against Norwegian government ministries. Further investigation revealed CVE-2023-35081, a high-severity flaw enabling an authenticated attacker with administrator privileges to remotely write arbitrary files to the server. Notably, these vulnerabilities can be exploited together to bypass admin authentication and access control list (ACL) restrictions, leading to malicious file writing and OS command execution. Both have been actively exploited, possibly by state-sponsored actors, prompting urgent advisories from Ivanti and CISA. EPMM, formerly known as MobileIron Core, is widely used by IT teams to manage mobile devices, applications, and content. With thousands of potentially vulnerable internet-exposed systems and the availability of proof-of-concept code for CVE-2023-35078, the risk of broader exploitation is significant. The situation is further complicated by Ivanti's acquisition of products in 2020 that already had known flaws. These vulnerabilities represent a considerable risk to organizations using Ivanti's EPMM, and prompt patching and careful monitoring are essential to mitigate the threat.
+description: Ivanti, a leading technology company, has disclosed two critical zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) product, CVE-2023-35078 and CVE-2023-35081. A recent update concerning CVE-2023-35082, closely related to CVE-2023-35078, reveals its impact on more versions of Ivanti's software than initially believed. The former allows unauthenticated attackers to obtain sensitive data, modify servers, and access the API, potentially leading to data breaches or malicious system modifications. Meanwhile, CVE-2023-35081 lets authenticated administrators remotely write arbitrary files to the server. Both vulnerabilities have been exploited in targeted attacks against government ministries and could be used in conjunction. With the presence of PoC code for CVE-2023-35078, the risk of broader exploitation has increased. While initially leveraged in limited attacks, the exploitation is expected to rise, possibly involving state-sponsored actors. Organizations are urged to apply immediate patches and conduct regular system assessments to ensure security.
+narrative: Ivantis Endpoint Manager Mobile (EPMM) product, formerly known as MobileIron Core and extensively utilized by IT teams to manage mobile devices, applications, and content, has been found to harbor several critical vulnerabilities. Specifically, CVE-2023-35078 allows remote unauthenticated attackers to access sensitive data and make changes to servers. This flaw has been leveraged in targeted attacks against Norwegian government ministries. In addition, CVE-2023-35081 permits an authenticated attacker with administrative privileges to remotely write arbitrary files to the server. \
+
+  Recently, attention has shifted to CVE-2023-35082, which was initially believed to affect only MobileIron Core 11.2 and below. Subsequent investigations revealed its wider influence, affecting EPMM versions 11.10, 11.9, 11.8, and MobileIron Core 11.7 and earlier. This vulnerability facilitates unauthorized access to the API via the URI path /mifs/asfV3/api/v2/. \
+
+  When combined, these vulnerabilities can be exploited to bypass administrative authentication and access control list (ACL) restrictions, leading to malicious file writing and potential OS command execution. Both have been actively exploited, possibly by state-sponsored actors, prompting urgent advisories from Ivanti and Rapid7, alongside CISA. Given the thousands of potentially vulnerable internet-exposed systems and the presence of PoC code for CVE-2023-35078, the risk of extensive exploitation escalates. The situation is further muddled by Ivanti's 2020 acquisition of MobileIron, which had its known issues. Collectively, these vulnerabilities present a significant risk to organizations utilizing Ivanti's EPMM, emphasizing the need for swift patching, vigilant monitoring, and timely application of fixes to counteract potential threats.
 references: 
 - https://www.securityweek.com/second-ivanti-epmm-zero-day-vulnerability-exploited-in-targeted-attacks/
 - https://www.cisa.gov/news-events/alerts/2023/07/28/ivanti-releases-security-updates-epmm-address-cve-2023-35081