NCC Group researchers have so far seen five instances in their client base of active exploitation of Log4Shell in MobileIron, noting that the “global scale of the exposure appears significant.”
In a blog post updated on Wednesday, the company shared a screenshot of a Shodan search showing 4,642 instances around the world.
NCC Group Global CTO Ollie Whitehouse told ZDNet that Shodan isn’t real-time but that there has been a small drop in total systems since yesterday.
Ivanti, which acquired MobileIron in December 2020, told ZDNet that customers using MobileIron were provided with mitigation steps and guidance this weekend.
Ivanti VP of security Daniel Spicer said that after a review of their products, they found the Log4j vulnerability impacting all versions of MobileIron Core, MobileIron Sentry, Core Connector, and Reporting Database (RDB). Those using the MobileIron Cloud are not affected by the issue.
“Over the weekend, we informed our customers and highly recommended that they follow the tested mitigations outlined in our Community Forum. Since then, we have stayed in regular communication with our customers,” Spicer said.
“Patching all systems for known vulnerabilities and ensuring the latest versions of Ivanti solutions are running is the best way for our customers to protect their environments from threats. Unfortunately, security threats across the industry will persist.”
Ivanti released an advisory and said the risk associated with CVE-2021-44228 is high “because these products sit in the DMZ and are vulnerable to a RCE attack due to the CVE.”
The mitigation instructions provided involve the removal of a vulnerable Java class (JNDILookUp.class) from the affected Log4J Java library, which removes the ability to perform the RCE attack, Ivanti explained.
Cerberus Sentinel vice president Chris Clements said the number of vulnerable applications was not a ton at internet scale but he noted the larger concern that the successful exploitation of these systems could allow an attacker to potentially compromise tens of thousands of mobile and computing devices managed by the MobileIron systems.
“That is a big deal. We are going to be dealing with the fallout from the Log4j vulnerability for a long time I’m afraid,” Clements said.
The UK’s National Cyber Security Centre (NCSC) issued an alert warning in December 2020 that a number of state-backed hackers and criminal gangs were using a vulnerability in MDM software from MobileIron. The company’s MDM servers were previously targeted by hackers through other vulnerabilities.
Last December, Ivanti purchased outstanding MobileIron stock for roughly $872 million, representing a 27% premium on the firm’s share price at the time.