Norway’s government services are facing a significant disruption following an attack exploiting a zero-day authentication bypass vulnerability in Ivanti software, specifically targeting the Norwegian Ministries Security and Service Organization.
The extent of the Disruption
According to initial reports, the cyberattack hampered communication networks across 12 Norwegian government ministries, denying employees mobile services and email access. However, the Prime Minister’s office, the Ministry of Defense, the Ministry of Justice and Emergency Preparedness, and the Ministry of Foreign Affairs escaped unscathed.
The culprit: Ivanti security flaw
As stated by the Norwegian Security Authority, the perpetrator is a remote unauthenticated API access vulnerability (CVE-2023-35078) nestled in the Ivanti Endpoint Manager. The bug enables remote attackers to extract information, create an administrative account, and modify device configurations via authentication bypass. This issue affects several versions, including 11.4 and older, with 11.10 and subsequent versions also at risk.
The US Cybersecurity and Infrastructure Security Agency (CISA) warned that the vulnerability could give unauthorized access to specific API paths, exposing personally identifiable information (PII) such as names, phone numbers, and other mobile device details on a vulnerable system.
The power of the exploit
Tenable senior research engineer, Satnam Narang, commented in a blog post that cyberattackers could potentially use the unrestricted API paths to change a server’s configuration file, leading to the creation of an administrative account for the Endpoint Manager Mobile (EPMM) interface. This account could then further compromise a vulnerable system.
Ivanti’s response
On discovering the exploitation, Ivanti promptly rallied resources to fix the problem. The company has a patch available for supported product versions and an RPM script for earlier versions. Although aware of a limited number of affected customers, Ivanti is investigating the situation in conjunction with customers and partners.
Norwegian government’s counteraction
The Norwegian national cybersecurity authorities, in collaboration with Ivanti and other partners, are actively working to mitigate the vulnerability’s impact. All known MobileIron Core users in Norway have been informed about security updates, and immediate installation is advised.
Sofie Nystrøm, director general of the Norwegian National Security Authority, remarked, “This vulnerability was unique and was discovered for the very first time here in Norway… The update is now widely available and it is prudent to announce what kind of vulnerability it is.”
We’d love to hear your thoughts on this matter. Share your views in the comments section below!
{{user}} {{datetime}}
{{text}}