Warning: Actively exploited API Authentication Bypass on Ivanti Sentry Administrator Interface leads to RCE, Patch Immediately!
CVE-2023-38035: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
Official manufacturer (CVE) - https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-By...
Official manufacturer (KB) - https://forums.ivanti.com/s/article/KB-API-Authentication-Bypass-on-Sent...
Official manufacturer (documentation) - https://help.ivanti.com/mi/help/en_us/SNTRY/9.x/gdco/SentryGuide/AboutMo...
Risks
An unauthenticated remote attacker can trigger a DoS execute arbitrary code, possibly leading to a compromise of system/data integrity, confidentiality, and/or availability. The vendor reports this vulnerability is exploited in the wild by an actor after exploiting CVE-2023-35078 and CVE-2023-35081, vulnerabilities in Ivanti EPMM.
Description
Ivanti Sentry, formerly MobileIron Sentry, is a part of a MobileIron deployment that serves as a gatekeeper to an ActiveSync server, such as a Microsoft Exchange Server, or with a backend resource such as a Sharepoint server, or it can be configured as a Kerberos Key Distribution Center Proxy (KKDCP) server. Sentry gets configuration and device information from a MobileIron unified endpoint management (UEM) platform - MobileIron Core or MobileIron Cloud.
CVE-2023-38035 impacts all supported versions – 9.18, 9.17, and 9.16. Older versions/releases are also at risk. This vulnerability does not affect other Ivanti products or solutions, such as Ivanti EPMM, MobileIron Cloud or Ivanti Neurons for MDM. Exploitation is only possible though the System Manager Portal (commonly MICS), hosted on port 8443 by default. The System Manager Portal is used for administration of the Sentry system. While the issue has a high CVSS score, there is low risk of exploitation for customers who do not expose port 8443 to the internet.
If exploited, this vulnerability enables an unauthenticated actor to make configuration changes to Sentry and underlying operating system. The vendor has been informed of exploitation in the wild of this vulnerability by a very limited number of customers. In addition, Ivanti does not have any specific indicators that can be shared for exploitation of this vulnerability at this time. Ivanti has been informed that CVE-2023-38035 was exploited after exploiting CVE-2023-35078 and CVE-2023-35081. These two vulnerabilities concern Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core.
Recommended Actions
The Centre for Cyber Security Belgium strongly recommends Windows system administrators to take the following actions:
Restrict access
Implement access and authorisation management policies to restrict access to the System Manager Portal to authorised persons only from authorised networks only.
Patch
Please upgrade to the vendor recommended version (or higher) after thorough testing and keep an eye out for future security bulletins.
- Ivanty Sentry 9.18.0-3
- Ivanty Sentry 9.17.0-3
- Ivanty Sentry 9.16.0-3
Monitor/detect
The CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise. When applying patches to systems that have been vulnerable to an RCE exploit, a proactive threat assessment should be performed to verify no exploitation occurred prior to patching.
References
NVD - https://nvd.nist.gov/vuln/detail/CVE-2023-38035
Incident response company - https://www.mnemonic.io/resources/blog/threat-advisory-remote-code-execu...
CERT.be CVE-2023-35078 advisory - https://www.cert.be/en/warning-critical-vulnerability-ivanti-endpoint-ma...
CERT.be CVE-2023-35081 advisory - https://cert.be/en/warning-high-severity-vulnerability-ivanti-endpoint-m...