How to find Ivanti EPMM (MobileIron Core)
How to find Ivanti Endpoint Manager Mobile (EPMM) with runZero #
On July 24th, Ivanti announced that their Endpoint Manager Mobile (EPMM, formerly MobileIron Core) product versions 11.10 and prior contain a critical authentication bypass vulnerability. Successfully exploiting this vulnerability would allow an unauthenticated remote attacker to access users’ personally identifiable information (PII) and make changes to the vulnerable server.
There is evidence that this vulnerability is being exploited in the wild.
What is Ivanti Endpoint Manager Mobile (EPMM)? #
Ivanti Endpoint Manager Mobile (EPMM) is a mobile management software product that helps organizations set policies for mobile devices, applications, and content. It was formerly known as MobileIron Core. What is the impact? An unauthenticated remote attacker who successfully exploited this vulnerability would be able to retrieve users’ personally identifiable information (PII) and make changes to the vulnerable server. This is due to an authentication bypass vulnerability, meaning that in some cases an attacker can bypass authentication controls.
With a CVSS score of 10.0, this vulnerability is considered critical. There is evidence that this vulnerability is being exploited in the wild and this vulnerability has been added to the CISA Known Exploited Vulnerabilities catalog.
Are updates available? #
Ivanti has released a patch for this vulnerability and issued guidance for customers on how to upgrade.
How do I find potentially vulnerable Ivanti Endpoint Management Mobile services with runZero? #
EPMM can be found by navigating to the Services Inventory and using the following pre-built query to locate EPMM services on your network:
_asset.protocol:http AND protocol:http AND html.title:"Ivanti User Portal: Sign In"
Starting with runZero 3.10.10, from the Asset Inventory use the following pre-built query to locate EPMM services on your network:
product:”Ivanti Endpoint Manager Mobile”
Results from the above query should be triaged to determine if they require patching. As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.
Get runZero for free
Don’t have runZero and need help finding potentially vulnerable Ivanti EPMM instances?
Get started
Rob King is a Principal Researcher at runZero. Over his career Rob has served as a senior researcher with KoreLogic, the architect for TippingPoint DVLabs, and helped get several startups off the ground. Rob helped design SC Magazine's Data Leakage Prevention Product of the Year for 2010, and was awarded the 3Com Innovator of the Year Award in 2009. He has been invited to speak at BlackHat, Shmoocon, SANS Network Security, and USENIX.
Similar Content
September 29, 2023
How to find WS_FTP Server instances?
How to find WS_FTP Server instances? # On September 27th, Progress Sofware announced eight vulnerabilities in the WS_FTP Server software. These issues can lead to a full compromise of exposed WS_FTP systems and their data through the FTP, SSH, and web management services, …
Read MoreSeptember 26, 2023
How to find TeamCity instances
How to find TeamCity assets? # On September 20th, JetBrains announced a critical authentication bypass vulnerability that impacts users running the TeamCity On-Premises product. The vulnerability is being tracked using CVE-2023-42793 and presents the weakness of CWE-288 …
Read MoreSeptember 12, 2023
How to find OpenSSL 1.1 instances
How to find OpenSSL 1.1 instances # On September 11th, the venerable OpenSSL 1.1.1 reached its end of life date. That means that it will no longer be receiving publicly-available security fixes. Users without a third-party extended support contract will no longer receive …
Read More