Ivanti Zero-Day Exploit Disrupts Norway's Government Services

A zero-day authentication bypass vulnerability in Ivanti software was exploited to carry out an attack on the Norwegian Ministries Security and Service Organization.

The attack affected communications networks at 12 Norwegian government ministries, according to the original statement, preventing employees in those departments from accessing mobile services and email.

The government noted that the Prime Minister's office, the Ministry of Defense, the Ministry of Justice and Emergency Preparedness, and the Ministry of Foreign Affairs were not impacted.

What Was the Ivanti Security Vulnerability?

According to a statement posted by the Norwegian Security Authority, the flaw is a remote unauthenticated API access vulnerability (CVE-2023-35078) in the Ivanti Endpoint Manager.

The bug would allow a remote attacker to obtain information, add an administrative account, and change the device's configuration, due to an authentication bypass. The vulnerability affects several software versions, including Version 11.4 and older; versions and releases from 11.10 are also at risk.

A statement from the US Cybersecurity and Infrastructure Security Agency (CISA) said the vulnerability allows unauthenticated access to specific API paths, which a cyberattacker can use to access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system.

Tenable senior staff research engineer Satnam Narang said in a blog post that an attacker could potentially utilize the unrestricted API paths to modify a server's configuration file, which could result in the creation of an administrative account for the endpoint manager's management interface, known as EPMM (short for Endpoint Manager Mobile), that can then be used to make further changes to a vulnerable system.

According to a post by Ivanti, the company had received information from a credible source indicating exploitation has occurred. A follow-up blog by Ivanti said that upon learning of the vulnerability, "we immediately mobilized resources to fix the problem and have a patch available now for supported versions of the product. For customers on an earlier version, we have an RPM script to assist in remediation."

The company also said it is only aware of a very limited number of customers that have been impacted, and it is actively working with customers and partners to investigate the situation.

What Is the Government's Response?

The Norwegian national cybersecurity authorities said they have had an ongoing dialog with Ivanti and other partners to help close the impact of the vulnerability, and a number of measures have been taken to reduce and minimize the risk that the vulnerability could cause both in Norway and globally.

All known MobileIron Core users in Norway have been made aware of available security updates, and the government recommends that security updates be installed immediately.

Sofie Nystrøm, director general of the Norwegian National Security Authority, said, "This vulnerability was unique and was discovered for the very first time here in Norway. If we had published information about the vulnerability too early, it could have contributed to its abuse elsewhere in Norway and in the rest of the world. The update is now widely available and it is prudent to announce what kind of vulnerability it is."