Ivanti Sentry zero-day vulnerability exploited, patch ASAP! (CVE-2023-38035)
Ivanti is urging administrators of Ivanti Sentry (formerly MobileIron Sentry) gateways to patch a newly discovered vulnerability (CVE-2023-38035) that could be exploited to change configuration, run system commands, or write files onto the vulnerable system.
“As of now, we are only aware of a limited number of customers impacted by CVE-2023-38035,” the company said in the advisory, but still has to clarify whether that means detected exploitation attempts or simply vulnerable installations reachable via internet.
About CVE-2023-38035
CVE-2023-38035 is an API authentication bypass flaw that may enable unauthenticated attackers to access APIs that are used to configure the Ivanti Sentry on the administrator portal/interface (aka the MobileIron Configuration Service – MICS), which runs by default on port 8443.
The source of the vulnerability is an insufficiently restrictive Apache HTTPD configuration.
“While the issue has a high CVSS score, there is a low risk of exploitation for customers who do not expose port 8443 to the internet,” the company said. “Ivanti recommends that customers restrict access to MICS to internal management networks and not expose this to the internet.”
CVE-2023-38035 affects the MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, including now unsupported releases.
The vulnerability has been reported by researchers with Mnemonic, who describe it as a zero day flaw, but also do not say whether they discovered it as it was being exploited.
Fixes are available
Ivanti has created fixes, which can be implemented via scripts that have been made available for affected supported versions (v9.18, 9.17 and 9.16) of the solution.
“We recommend customers first upgrade to a supported version and then apply the RPM script specifically designed for their version,” the company advised.
“Each script is customized for a single version. Please note: If the wrong RPM script is applied it may prevent the vulnerability from being remediated or cause system instability.”
As the Mnemonic researchers explained, “Ivanti Sentry is a server in an Ivanti deployment that serves as a gatekeeper between mobile devices and a company’s ActiveSync server, such as a Microsoft Exchange Server, or with a backend resource such as a Sharepoint server, or it can be configured as a Kerberos Key Distribution Center Proxy (KKDCP) server. Sentry gets configuration and device information from the Ivanti Endpoint Manager Mobile (EPMM) platform.”
Ivanti made sure to stress that CVE-2023-38035 does not affect other Ivanti products.
The company has recently fixed three vulnerabilities in Ivanti EPMM, two of which had been leveraged (as zero-days) by attackers to target Norwegian ministries.
UPDATE (August 23, 2023, 03:40 a.m. ET):
CISA has added CVE-2023-38035 to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
UPDATE (August 24, 2023, 08:30 a.m. ET):
Horizon3.ai researchers have analyzed Ivanti’s patch, have shared more details about CVE-2023-38035 and a proof-of-concept (PoC) exploit. They also say that they were able to utilize an exposed endpoint to execute arbitrary commands without any authentication.
“There aren’t any definitive IoCs that we have found so far. However, any unrecognized HTTP requests to /services/* should be cause for concern. The endpoint that we exploited is likely not the only one that would allow an attacker to take control of the machine,” they noted.
“Ivanti Sentry doesn’t offer a standard Unix shell, but if a known exploited system is being forensically analyzed, /var/log/tomcat2/ contains access logs that can be used to check which endpoints were accessed. Lastly, there are logs in the web interface that might be of use to check for any suspicious activity.”