On 24 July, the Norwegian Security and Service Organization (DSS) published a public notice about an attack stemming from a zero-day vulnerability. The Norwegian government cyber attack was later attributed to an Ivanti zero-day vulnerability.
Details about the Ivanti zero-day vulnerability
Ivanti is an IT software company that offers software for IT security, service management, endpoint management, and identity management among others.
The Ivanti zero-day vulnerability CVE-2023-35078 was found in Ivanti Endpoint Manager Mobile (EPMM), which was previously called MobileIron Core.
The vulnerability in Ivanti EPMM was assigned a CVSS score of 10 and was marked as a critical flaw, according to the MITRE framework.
The Ivanti zero-day vulnerability could allow a hacker to remotely steal personally identifiable information, and add their own administrative accounts with increased privileges.
The vulnerability in Ivanti allowed hackers to change the configuration because of an authentication bypass, the Mitre page noted.
Norway’s government IT cyber attack due to the Ivanti zero-day vulnerability
A patch was made available for the critical Ivanti vulnerability. However, 12 ministries of the Norwegian government were impacted before systems could be patched.
It was confirmed by the Norwegian National Security Authority (NSM) that hackers breached a software platform that is used by 12 of its ministries.
The Norwegian IT software breach did not impact Norway’s Prime Minister’s office, the Ministry of Foreign Affairs, and the Ministry of Defense. Nor was the Ministry of Justice impacted due to the exploitation of the Ivanti zero-day vulnerability.
It is estimated that the presently unidentified hackers might have gained access to sensitive data. It appears that Norwegian authorities had cognizance of this vulnerability in Ivanti EPMM for a while.
As a notice by the NSN clarified that the vulnerability was discovered in Norway. However, the authorities refrained from publicizing it as that could have increased the chances of exploitation.
According to reports, the authorities discovered the breach early on July 12.
What we know about the Ivanti EPMM flaw
The patched zero-day vulnerability in Ivanti Endpoint Manager Mobile was an authentication bypass flaw. It impacted all supported versions – Version 11.4 releases 11.10, 11.9, and 11.8.
The Ivanti vulnerability also impacted unsupported versions or releases that were older than 11.8.1.0, the Ivanti blog post read. Users were urged to upgrade to supported versions to avoid risk.
For those who were experiencing issues with upgrading were urged to install the temporary fix available in the form of an RPM Package
Manager file. This fix would remain in place during reboots however, it would be removed after the upgrades were made.
The fixed versions were as follows –
- 10.0.2
- 9.1.1
- 8.1.1
Hackers could access unrestricted API paths to change server configurations. A Tenable blog stated that hackers could access names, phone numbers, and details about mobile devices managed by Ivanti EPMM.
The Ivanti vulnerability impacted a small number of users, however, it is urged to install patches at the earliest to prevent threats.
Addressing the same, the Ivanti blog read, “We are only aware of a very limited number of customers that have been impacted. We are actively working with our customers and partners to investigate this situation.”
Users and organizations can use plugin IDs to detect assets in their environment. The plugin IDs were 141340 and 141341.