CVE-2023-38035: Ivanti Sentry API Authentication Bypass Zero-Day Exploited in the Wild
For the third time in a month, Ivanti discloses a zero-day vulnerability in one of its products that has been exploited in the wild
Update August 31:The Identifying affected systems section has been updated to include the availability additional Tenable product coverage
Background
On August 21, Ivanti published an advisory for a critical vulnerability in Ivanti Sentry, formerly known as MobileIron Sentry, a secure mobile gateway that is part of Ivanti’s unified endpoint management (UEM) platform.
CVE | Description | CVSSv3 | Severity |
---|---|---|---|
CVE-2023-38035 | Ivanti Sentry API Authentication Bypass Vulnerability | 9.8 | Critical |
Disclosure of this vulnerability is credited to researchers at mnemonic, which published its own blog post about the discovery.
Analysis
CVE-2023-38035 is an authentication bypass vulnerability in the MobileIron Configuration Service (MICS) Admin Portal of the Ivanti Sentry System Manager. By default, the System Manager Admin Portal is accessible via TCP port 8443. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable Admin Portal. Successful exploitation would allow an attacker to perform a variety of actions including modifying system configuration, executing system commands, as well as writing files onto the disk.
In its knowledge base article about the flaw, Ivanti explicitly states that a malicious actor that exploits this flaw could “execute OS commands on the appliance as root.”
Zero-day discovered in attack chain involving Endpoint Mobile Manager (EPMM) flaws
In the same knowledge base article, Ivanti confirms that CVE-2023-38035 was exploited in the wild as a zero-day vulnerability against a “limited number of customers.” Ivanti also says they were “informed” of its exploitation being part of an attack chain involving two recent zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM).
The first vulnerability, CVE-2023-35078, which was first disclosed on July 24, was a zero-day vulnerability in Ivanti EPMM that was exploited in the wild against twelve Norwegian government ministries as early as April 2023. The second vulnerability, CVE-2023-35081, which was disclosed on July 28, was another zero-day vulnerability in EPMM that was also exploited in the wild. Just like CVE-2023-38035, its discovery is also credited to researchers at mnemonic.
Proof of concept
On August 23, researchers from the Horizon3 Attack Team published a blog post and a proof-of-concept (PoC) exploit for CVE-2023-35078.
Solution
To remediate this vulnerability, Ivanti has released RPM Package Manager scripts for supported versions.
Ivanti Sentry Affected Versions | Ivanti Sentry Fixed Versions (using RPM Scripts) |
---|---|
9.18 | 9.18.0a |
9.17 | 9.17.0a |
9.16 | 9.16.0a |
9.15 and below | Upgrade to a supported version then apply the relevant RPM script |
For more information on how to use the RPM scripts, please refer to the Resolution section of Ivanti’s knowledge base article.
While Ivanti recommends upgrading to resolve this issue, they do offer mitigation guidance of ensuring that port 8443 is not internet accessible by blocking external access with a firewall. While this is not a complete resolution, it is recommended to only be used if patching is not an option. We strongly recommend upgrading as soon as possible.
Identifying affected systems
A list of Tenable plugins to identify can be located on the individual CVE page for CVE-2023-38035 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.
Additionally, customers can utilize the following plugins to identify Ivanti Sentry assets within their environments:
- Plugin ID 180021: Ivanti Sentry System Manager Portal Detection
- Plugin ID 180099: Ivanti Sentry Detection
Customers using Tenable Attack Surface Management (formerly Tenable.asm) have access to a new subscription as shown in the screenshot below:
Get more information
- Ivanti Blog Post: CVE-2023-38035 - Vulnerability affecting Ivanti Sentry
- Ivanti Article 000087498: CVE-2023-38035 – API Authentication Bypass on Sentry Administrator Interface
- Ivanti Resolution and Mitigation Guidance for CVE-2023-38035
Change Log
Update August 31:The Identifying affected systems section has been updated to include the availability additional Tenable product coverage
Update August 24 #2:The Proof of concept section has been updated to include the availability of a public proof-of-concept (PoC) exploit that was published on August 23
Update August 24 #1: The Identifying affected systems section has been updated to include additional plugin coverage information.
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Related Articles
- Exposure Management
- Vulnerability Management
- Exposure Management
- Vulnerability Management