Is anyone else getting a bunch of false positives from this new check? Since the check was released yesterday, it’s showing up all over my environment on machines that have nothing to do with Mobile Iron or Ivanti. For example, we have storage systems and network devices that are giving positive results to the check.
The Proof section is pretty vague. This is from one my my machines, but other machines are pretty identical results wise.
- Running HTTPS service
HTTP GET request to
HTTP response code was 404 but expected 200
HTTP GET request to
HTTP response code was an expected 401
Yes seeing same stuff. It seems like this checks tries to access a certain url. If the webservice responds with a certain HTTP code (ex 200) then it’s deemed vulnerable. So i’m guessing if a HTTP service redirects this HTTP query and still reports an HTTP code, then IVM deems it vulnerable.
Are there any additional checks for a credentialed scan?
We have identified an issue with the check logic for CVE-2023-35078. We are currently working on rectifying this, and I will provide an update when I can confirm when this is shipping out.
An update for this check will be in todays content release, expected approx 3-4pm ET. This should rectify the false positive.
Yes, same here - exactly what you are seeing. Looks like Kevin McCabe below investigated and could be corrected. Hopefully that fixes this.
What content update includes the fix? nexpose-content-1.1.2932? After a manual update, my system is showing Newest Content Version Loaded: 1.1.2695
I still see the same thing. Is this being worked on?
Good morning. We don’t use EPMM in our environment, but still seeing nearly 100 instances. Did it get updated last Friday? Thank you! @kevin_mccabe
so far for what i can see, it seems like using the API mifs/aad/api/v2/ping on any webserver will redirect to the device’s default index page which will then provide a 200/401 response. hence getting the false positive.
We are experiencing the same detections which for us are false positive. We don’t use Ivanti EPMM. We have Endpoint Manager but not Mobile product I thought the detection would include checks for the core software installed and the url check as a secondary since it would be required to have EPMM core installed to be leveraged.
We’re also seeing these false positives since last week, despite doing a re-scan last night. Which InsightVM content version should we be on to get the updated detection? We have 1.1.2931.
if anyone is interested, here is the public POC
We saw this pop-up against our Aruba APs. While we don’t use EPMM in our environment, there was a vulnerability that we found against our APs once we started investigating. It was not flagged by R7… weird… since we patched the APs I have not seen any more EPMM alerts… but maybe it’s a coincidence…
Has this been marked as false positive? Suddenly the FNDs have been removed?
I noticed a special scan ran this morning and all my assets that were showing this vuln are no longer vuln so they have fixed something