Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

CVE-2023-38035: Ivanti Sentry API Authentication Bypass Zero-Day Exploited in the Wild

Tenable Research Advisory for a new zero-day vulnerability disclosed in the wild in Ivanti Sentry, identified as CVE-2023-38035

For the third time in a month, Ivanti discloses a zero-day vulnerability in one of its products that has been exploited in the wild

Update August 31:The Identifying affected systems section has been updated to include the availability additional Tenable product coverage

View Change Log

Background

On August 21, Ivanti published an advisory for a critical vulnerability in Ivanti Sentry, formerly known as MobileIron Sentry, a secure mobile gateway that is part of Ivanti’s unified endpoint management (UEM) platform.

CVE Description CVSSv3 Severity
CVE-2023-38035 Ivanti Sentry API Authentication Bypass Vulnerability 9.8 Critical

Disclosure of this vulnerability is credited to researchers at mnemonic, which published its own blog post about the discovery.

Analysis

CVE-2023-38035 is an authentication bypass vulnerability in the MobileIron Configuration Service (MICS) Admin Portal of the Ivanti Sentry System Manager. By default, the System Manager Admin Portal is accessible via TCP port 8443. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable Admin Portal. Successful exploitation would allow an attacker to perform a variety of actions including modifying system configuration, executing system commands, as well as writing files onto the disk.

In its knowledge base article about the flaw, Ivanti explicitly states that a malicious actor that exploits this flaw could “execute OS commands on the appliance as root.”

Zero-day discovered in attack chain involving Endpoint Mobile Manager (EPMM) flaws

In the same knowledge base article, Ivanti confirms that CVE-2023-38035 was exploited in the wild as a zero-day vulnerability against a “limited number of customers.” Ivanti also says they were “informed” of its exploitation being part of an attack chain involving two recent zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM).

The first vulnerability, CVE-2023-35078, which was first disclosed on July 24, was a zero-day vulnerability in Ivanti EPMM that was exploited in the wild against twelve Norwegian government ministries as early as April 2023. The second vulnerability, CVE-2023-35081, which was disclosed on July 28, was another zero-day vulnerability in EPMM that was also exploited in the wild. Just like CVE-2023-38035, its discovery is also credited to researchers at mnemonic.

Proof of concept

On August 23, researchers from the Horizon3 Attack Team published a blog post and a proof-of-concept (PoC) exploit for CVE-2023-35078.

Solution

To remediate this vulnerability, Ivanti has released RPM Package Manager scripts for supported versions.

Ivanti Sentry Affected Versions Ivanti Sentry Fixed Versions (using RPM Scripts)
9.18 9.18.0a
9.17 9.17.0a
9.16 9.16.0a
9.15 and below Upgrade to a supported version then apply the relevant RPM script

For more information on how to use the RPM scripts, please refer to the Resolution section of Ivanti’s knowledge base article.

While Ivanti recommends upgrading to resolve this issue, they do offer mitigation guidance of ensuring that port 8443 is not internet accessible by blocking external access with a firewall. While this is not a complete resolution, it is recommended to only be used if patching is not an option. We strongly recommend upgrading as soon as possible.

Identifying affected systems

A list of Tenable plugins to identify can be located on the individual CVE page for CVE-2023-38035 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Additionally, customers can utilize the following plugins to identify Ivanti Sentry assets within their environments:

Customers using Tenable Attack Surface Management (formerly Tenable.asm) have access to a new subscription as shown in the screenshot below:

 Ivanti Sentry (formerly MobileIron Sentry) Subscription

Get more information

Change Log

Update August 31:The Identifying affected systems section has been updated to include the availability additional Tenable product coverage

Update August 24 #2:The Proof of concept section has been updated to include the availability of a public proof-of-concept (PoC) exploit that was published on August 23

Update August 24 #1: The Identifying affected systems section has been updated to include additional plugin coverage information.

View Change Log

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.