CVE-2023-35078

shodan dorks

You can use the following shodan dorks to find public targets.

• http.favicon.hash:362091310
• http.favicon.hash:545827989
• path=/mifs

You can use the following to transform data from shodan API to format suitable for the checking script:

jq -cr 'select(.http.favicon.hash == 362091310) | [ if .ssl? then "https://" else "http://" end , (.ip_str) + ":" + (.port|tostring)] | add' example.json > your_data_file.txt

usage

• clone the repository
• ./CVE-2023-35078.sh http[s]://your.target:port (define both protocol and target port)

If you want to test multiple targets, you can simply wrap it up with a loop: while read line; do ./CVE-2023-35078.sh $line; done < your_data_file.txt

additional info about the vuln

• https://socradar.io/critical-zero-day-in-ivanti-epmm-formerly-mobileiron-core-is-actively-exploited-cve-2023-35078/
• https://cyberplace.social/@GossiTheDog/110769716667847266
• https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US
• https://doublepulsar.com/mobileirony-backdoor-allows-complete-takeover-of-mobile-security-product-and-endpoints-559733d612e1
• https://www.cisa.gov/news-events/alerts/2023/07/24/ivanti-releases-security-updates-endpoint-manager-mobile-epmm-cve-2023-35078

details about vulnerable/patched versions

• https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US

This vulnerability impacts all supported versions – Version 11.4 releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk.

• https://socradar.io/critical-zero-day-in-ivanti-epmm-formerly-mobileiron-core-is-actively-exploited-cve-2023-35078/

you can fix the vulnerability by upgrading to EPMM versions 11.8.1.1, 11.9.1.1, and 11.10.0.2. These fixed versions also cover unsupported and End-of-Life (EoL) software versions that are lower than 11.8.1.0.