How to find Ivanti Endpoint Manager Mobile (EPMM) with runZero
On July 24th, Ivanti announced that their Endpoint Manager Mobile (EPMM, formerly MobileIron Core) product versions 11.10 and prior contain a critical authentication bypass vulnerability. Successfully exploiting this vulnerability would allow an unauthenticated remote attacker to access users’ personally identifiable information (PII) and make changes to the vulnerable server.
There is evidence that this vulnerability is being exploited in the wild.
What is Ivanti Endpoint Manager Mobile (EPMM)?
Ivanti Endpoint Manager Mobile (EPMM) is a mobile management software product that helps organizations set policies for mobile devices, applications, and content. It was formerly known as MobileIron Core.
What is the impact?
An unauthenticated remote attacker who successfully exploited this vulnerability would be able to retrieve users’ personally identifiable information (PII) and make changes to the vulnerable server. This is due to an authentication bypass vulnerability, meaning that in some cases an attacker can bypass authentication controls.
With a CVSS score of 10.0, this vulnerability is considered critical. There is evidence that this vulnerability is being exploited in the wild and this vulnerability has been added to the CISA Known Exploited Vulnerabilities catalog.
Are updates available?
Ivanti has released a patch for this vulnerability and issued guidance for customers on how to upgrade.
How do I find potentially vulnerable Ivanti Endpoint Management Mobile services with runZero?
EPMM can be found by navigating to the Services Inventory and using the following pre-built query to locate EPMM services on your network:
_asset.protocol:http AND protocol:http AND html.title:"Ivanti User Portal: Sign In"
Starting with runZero 3.10.10, from the Asset Inventory use the following pre-built query to locate EPMM services on your network:
product:”Ivanti Endpoint Manager Mobile”
Results from the above query should be triaged to determine if they require patching.
As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.
About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
