Ivanti Zero-Day Exploit Disrupts Norway’s Government Services
A zero-day authentication bypass vulnerability in Ivanti software was exploited to carry out an attack on the Norwegian Ministries Security and Service Organization.
The attack affected communications networks at 12 Norwegian government ministries, according to the original statement, preventing employees in those departments from accessing mobile services and email.
The government noted that the Prime Minister’s office, the Ministry of Defense, the Ministry of Justice and Emergency Preparedness, and the Ministry of Foreign Affairs were not impacted.
What Was the Ivanti Security Vulnerability?
According to a statement posted by the Norwegian Security Authority, the flaw is a remote unauthenticated API access vulnerability (CVE-2023-35078) in the Ivanti Endpoint Manager.
The bug would allow a remote attacker to obtain information, add an administrative account, and change the device’s configuration, due to an authentication bypass. The vulnerability affects several software versions, including Version 11.4 and older; versions and releases from 11.10 are also at risk.
A statement from the US Cybersecurity and Infrastructure Security Agency (CISA) said the vulnerability allows unauthenticated access to specific API paths, which a cyberattacker can use to access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system.
Tenable senior research engineer Satnam Narang said in a blog post that an attacker could potentially utilize the unrestricted API paths to modify a server’s configuration file, which could result in the creation of an administrative account for the endpoint manager’s management interface, known as EPMM (short for Endpoint Manager Mobile), that can then be used to make further changes to a vulnerable system.
According to a post by Ivanti, the company had received information from a credible source indicating exploitation has occurred. A follow-up blog by Ivanti said that upon learning of the vulnerability, “we immediately mobilized resources to fix the problem and have a patch available now for supported versions of the product. For customers on an earlier version, we have an RPM script to assist…
