False Positives for CVE-2023-35078

rgetteau1 · July 27, 2023, 7:05pm

Is anyone else getting a bunch of false positives from this new check? Since the check was released yesterday, it’s showing up all over my environment on machines that have nothing to do with Mobile Iron or Ivanti. For example, we have storage systems and network devices that are giving positive results to the check.
The Proof section is pretty vague. This is from one my my machines, but other machines are pretty identical results wise.

Running HTTPS service
HTTP GET request to
HTTP response code was 404 but expected 200
HTTP GET request to
HTTP response code was an expected 401

ilyaaz_noerkhan · July 27, 2023, 9:44pm

Yes seeing same stuff. It seems like this checks tries to access a certain url. If the webservice responds with a certain HTTP code (ex 200) then it’s deemed vulnerable. So i’m guessing if a HTTP service redirects this HTTP query and still reports an HTTP code, then IVM deems it vulnerable.

gdunn · July 27, 2023, 10:06pm

Are there any additional checks for a credentialed scan?

kevin_mccabe · July 28, 2023, 2:06pm

We have identified an issue with the check logic for CVE-2023-35078. We are currently working on rectifying this, and I will provide an update when I can confirm when this is shipping out.

kevin_mccabe · July 28, 2023, 5:05pm

An update for this check will be in todays content release, expected approx 3-4pm ET. This should rectify the false positive.

todd_cox · July 28, 2023, 8:06pm

Yes, same here - exactly what you are seeing. Looks like Kevin McCabe below investigated and could be corrected. Hopefully that fixes this.

gdunn · July 29, 2023, 11:37am

What content update includes the fix? nexpose-content-1.1.2932? After a manual update, my system is showing Newest Content Version Loaded: 1.1.2695

ant-bot · July 31, 2023, 1:13pm

I still see the same thing. Is this being worked on?

todd_cox · July 31, 2023, 2:17pm

Good morning. We don’t use EPMM in our environment, but still seeing nearly 100 instances. Did it get updated last Friday? Thank you! @kevin_mccabe

ant-bot · July 31, 2023, 7:04pm

so far for what i can see, it seems like using the API mifs/aad/api/v2/ping on any webserver will redirect to the device’s default index page which will then provide a 200/401 response. hence getting the false positive.

ebrio · August 1, 2023, 6:02am

We are experiencing the same detections which for us are false positive. We don’t use Ivanti EPMM. We have Endpoint Manager but not Mobile product I thought the detection would include checks for the core software installed and the url check as a secondary since it would be required to have EPMM core installed to be leveraged.

itimm · August 1, 2023, 8:35am

We’re also seeing these false positives since last week, despite doing a re-scan last night. Which InsightVM content version should we be on to get the updated detection? We have 1.1.2931.

ant-bot · August 1, 2023, 1:25pm

if anyone is interested, here is the public POC

MJ-VMR7 · August 1, 2023, 3:21pm

We saw this pop-up against our Aruba APs. While we don’t use EPMM in our environment, there was a vulnerability that we found against our APs once we started investigating. It was not flagged by R7… weird… since we patched the APs I have not seen any more EPMM alerts… but maybe it’s a coincidence…

pleon · August 3, 2023, 2:25pm

Has this been marked as false positive? Suddenly the FNDs have been removed?

jjguest · August 4, 2023, 2:10pm

I noticed a special scan ran this morning and all my assets that were showing this vuln are no longer vuln so they have fixed something