Ivanti Sentry [1] [2] [3] [5] [7], formerly known as MobileIron Sentry, is a security gateway product used for managing, encrypting [1], and protecting traffic between mobile devices and backend systems [1] [7]. Recently, Ivanti Sentry issued a warning about a critical zero-day vulnerability (CVE-2023-38035) that affects versions 9.18.0 and lower.

Description

This vulnerability allows unauthenticated actors to bypass authentication controls and gain unauthorized access to sensitive APIs through port 8443. Attackers who exploit this vulnerability can potentially reconfigure settings [4], execute system commands [1] [2] [4] [5], or write files onto the system [2] [4]. The severity rating of this vulnerability is 9.8 out of 10. Ivanti has acknowledged only a limited number of impacted customers [1].

To mitigate the risk, Ivanti recommends restricting access to the administrator portal and not exposing port 8443 to the internet [1]. It is worth noting that the risk of exploitation is low for customers who do not expose port 8443 to the internet [2] [7]. Ivanti has provided RedHat Package Manager (RPM) scripts for all supported versions to remediate the vulnerability. However, it is crucial for organizations to install the correct RPM script to avoid system instability and address the vulnerability.

The vulnerability (CVE-2023-38035) has been discovered in Ivanti Sentry versions 9.18, 9.17 [6] [7], and 9.16 [7]. Successful exploitation of this vulnerability allows an unauthenticated threat actor to read and write files to the Ivanti Sentry server and execute OS commands as a system administrator [5]. This can be achieved through the use of “super user do” (sudo) [5]. The vulnerability can only be exploited towards certain API endpoints in the System Manager Portal [5], which runs on port 8443 [5]. If port 8443 is not exposed to the internet [5], internal access is required [5]. The vulnerable System Manager Portal is used to communicate with the Ivanti EPMM server [5]. Exploitation of CVE-2023-38035 is possible after exploiting CVE-2023-35078 and CVE-2023-35081 [5]. Ivanti has released RPM scripts for each supported version [5].

It is recommended to block external access to Ivanti Sentry on port 8443 and restrict access to a management network accessible only to IT administrators [5]. Ivanti has issued a security advisory and provided RPM scripts to patch the vulnerability [7]. This is the third advisory from Ivanti in less than a month [3], with previous vulnerabilities being exploited to compromise government agencies [3]. The exploits have not been attributed to any specific nation-state or criminal group [3]. For more information [5], refer to Ivanti’s security advisory and blog [5].

Conclusion

In conclusion, the critical zero-day vulnerability in Ivanti Sentry poses a significant risk to organizations using affected versions. By following Ivanti’s recommended mitigations, such as restricting access and installing the correct RPM scripts, organizations can reduce the likelihood of exploitation. However, it is important to note that previous vulnerabilities have already been exploited, highlighting the need for proactive security measures. Organizations should stay updated with Ivanti’s security advisories and take necessary actions to protect their systems and data.

References

[1] https://www.darkreading.com/attacks-breaches/ivanti-issues-fix-for-critical-vuln-in-its-sentry-gateway-technology
[2] https://thehackernews.com/2023/08/ivanti-warns-of-critical-zero-day-flaw.html
[3] https://www.threatshub.org/blog/ivanti-sentry-exploited-in-the-wild-patches-emitted/
[4] https://securityonline.info/cve-2023-38035-ivanti-sentry-api-authentication-bypass-vulnerability-being-exploited-in-the-wild/
[5] https://www.mnemonic.io/resources/blog/threat-advisory-remote-code-execution-vulnerability-in-ivanti-sentry/
[6] https://vulnera.com/newswire/critical-vulnerability-in-ivanti-sentry-api-exploited-in-the-wild/
[7] https://borncity.com/win/2023/08/22/new-0-day-vulnerability-cve-2023-38035-in-ivanti-sentry/