NetScaler WAF mitigates risk from Ivanti Remote Unauthenticated API access vulnerabilities

NetScaler has new signatures available for its integrated Web App Firewall to help customers mitigate the vulnerabilities related to Ivanti Endpoint Manager Mobile (Core) affecting versions 11.2 and prior.

The new signatures protect customers from the recent CVE-2023-35078 and CVE-2023-35082 vulnerability found in versions of Ivanti Endpoint Manager Mobile (Core) that allows unauthorized access to users’ personally identifiable information and limited changes to the server. 

The vulnerability (CVE-2023-35078) is classed as critical. Customers should apply the latest NetScaler WAF signature file to help mitigate exploitation of this vulnerability in their environments.You can download the signatures and apply them immediately.  

Mitigating CVE-2023-35078

The NIST database has details about the vulnerability:

Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, through 11.10 allows remote attackers to obtain PII, add an administrative account, and change the configuration because of an authentication bypass, as exploited in the wild in July 2023. A patch is available.

Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, recommends that customers refer to their published remediation measures

NetScaler customers can quickly implement the  following recommendations to help reduce risk and lower exposure associated with this vulnerability. If you are using any of the affected Ivanti Endpoint Manager Mobile  versions, NetScaler strongly recommends that you download the version 111 or later of the signature file and apply it to your NetScaler Web App Firewall deployments as an additional layer of protection for your applications.  Signatures are compatible with NetScaler (formerly Citrix ADC) software version 11.1, 12.0, 12.1, 13.0 and 13.1. NOTE: software versions 11.1 and 12.0 are end of life and you should consider upgrading for continued support. Learn more about the NetScaler software release lifecycle.

If you are already using NetScaler Web App Firewall with the signature auto-update feature enabled, verify that your signature file version is 111 or later and then follow these steps.

1. Search your signatures for CVE-2023-35078, CVE-2023-35082 LogString
2. Select the results with ID 
3. Choose “Enable Rules” and click OK

NetScaler WAF Best Practices

NetScaler recommends that WAF users always download the latest signature version, enable signature auto-update, and subscribe to receive signature alert notifications. NetScaler will continue to monitor this dynamic situation and provide updates as new mitigations become available.

Handling false positives

If app availability is affected by false positives that result from the above mitigation policies, relaxations can be applied. NetScaler recommends the following modifications to the policy.

Modifications to NetScaler Web App Firewall Policy:

add policy patset exception_list

# (Example: bind policy patset exception_list “/exception_url”) 

Prepend the existing WAF policy with:

HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT

# (Example :  set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^

NOTE: Any endpoint covered by the exception_list may expose those assets to risks from CVE-2023-35078, CVE-2023-35082.

Additional Information

NetScaler Web App Firewall benefits from a single code base across all its form-factors (physical, virtual, bare-metal, and containers). This signature update applies to all form factors and deployment models of NetScaler Web App Firewall.

Learn more about NetScaler Web app Firewall, read our alert articles and bot signature articles to learn more about NetScaler WAF signatures, and find out how you can receive signature alert notifications.

Please join the NetScaler Community today and engage with your peers to learn more about how they are protecting their businesses with NetScaler WAF.