UPDATED: EPMM Security Concern with Server Response Leak
At Ivanti, we are committed to delivering innovative, high quality and secure solutions for our customers. We collaborate with the broader security ecosystem to share intelligence and appreciate when we are made aware of issues via responsible disclosure from reputable sources.
We have determined that there is a vulnerability (CVE-2023-25690) related to open-source code used in Ivanti Endpoint Manager Mobile (formerly known as MobileIron Core) versions 11.9.0.1 and below. Attackers could potentially exploit this vulnerability to receive responses to requests made by genuine authenticated users. These responses could include Personal Identifiable Information.
The latest version Ivanti Endpoint Manager Mobile (EPMM) 11.10.0.1 is NOT vulnerable. Ivanti Sentry and Ivanti Neurons for MDM (formerly known as MobileIron Cloud) are also not affected.
Upon learning of the vulnerability, we immediately mobilized resources to fix the problem and collaborated with the Security Researcher that found the vulnerability. While complex to execute, the Researcher has been able to exploit the vulnerability.
We encourage all EPMM customers on versions 11.9.0.1 and below to update to EPMM version 11.10.0.1. Alternatively, you can update httpd RPM to deploy the fix. All information on how to do so can be found in this Knowledge Base article.
Our Support team is always available to help customers and partners should they have any questions. Cases can be logged via the Success portal (login credentials required).