Ivanti Rushes to Patch Zero-day Used to Breach Norway's Government
upstart writes:
Ivanti rushes to patch zero-day used to breach Norway's government:
Hackers exploited a zero-day flaw in Ivanti's mobile endpoint management software to compromise a dozen Norwegian government agencies - and thousands of other organizations could also be at risk.
The Norwegian Security and Service Organization (DSS) said in a statement on Monday that a "data attack" had struck the IT platform used by 12 government ministries.
[...] The DSS said the attack was the result of a "previously unknown vulnerability in the software of one of our suppliers," but didn't share any further details. However, the Norwegian National Security Authority (NSM) later confirmed that hackers had leveraged the previously undiscovered flaw in Ivanti Endpoint Manager Mobile (EPMM; formerly MobileIron Core), to compromise Norwegian government agencies.
[...] Ivanti's EPMM allows authorized users and devices to access a corporate or government network. The vulnerability, tracked as CVE-2023-35078, is an authentication bypass flaw that affects all supported versions of Ivanti's EPMM software, along with older and unsupported releases. If exploited, the vulnerability allows anyone over the internet to remotely access the software - without needing credentials - to access users' personal information, such as names, phone numbers, and other mobile device details for users on a vulnerable system, as well as make changes to the impacted server.
[...] In a statement to TechCrunch, Ivanti chief security officer Daniel Spicer said that after the company became aware of the vulnerability, it "immediately developed and released a patch and are actively engaging with customers to help them apply the fix," adding that "we are upholding our commitment to deliver and maintain secure products, while practicing responsible disclosure protocols."
However, Ivanti initially kept details of the flaw - which has been given a maximum vulnerability severity rating out 10 out of 10 - behind a paywall, and reportedly asked potentially impacted customers to sign a non-disclosure agreement before sharing details. At the time of writing, Ivanti's Knowledge Base article about the vulnerability still requires users to login before viewing. [Note: Now viewable. -Ed.]
[...] As noted by cybersecurity researcher Kevin Beaumont, the vast majority of impacted organizations - a list which includes numerous U.S. and U.K. government departments - have not yet patched.
Read more of this story at SoylentNews.