CVE-2023-38035: Ivanti Sentry API Authentication Bypass Zero-Day Exploited in the Wild

For the third time in a month, Ivanti discloses a zero-day vulnerability in one of its products that has been exploited in the wild

Background

On August 21, Ivanti published an advisory for a critical vulnerability in Ivanti Sentry, formerly known as MobileIron Sentry, a secure mobile gateway that is part of Ivanti’s unified endpoint management (UEM) platform.

Disclosure of this vulnerability is credited to researchers at mnemonic, which published its own blog post about the discovery.

Analysis

CVE-2023-38035 is an authentication bypass vulnerability in the MobileIron Configuration Service (MICS) Admin Portal of the Ivanti Sentry System Manager. By default, the System Manager Admin Portal is accessible via TCP port 8443. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable Admin Portal. Successful exploitation would allow an attacker to perform a variety of actions including modifying system configuration, executing system commands, as well as writing files onto the disk.

In its knowledge base article about the flaw, Ivanti explicitly states that a malicious actor that exploits this flaw could “execute OS commands on the appliance as root.”

Zero-day discovered in attack chain involving Endpoint Mobile Manager (EPMM) flaws

In the same knowledge base article, Ivanti confirms that CVE-2023-38035 was exploited in the wild as a zero-day vulnerability against a “limited number of customers.” Ivanti also says they were “informed” of its exploitation being part of an attack chain involving two recent zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM).

The first vulnerability, CVE-2023-35078, which was first disclosed on July 24, was a zero-day vulnerability in Ivanti EPMM that was exploited in the wild against twelve Norwegian government ministries as early as April 2023. The second vulnerability, CVE-2023-35081, which was disclosed on July 28, was another zero-day vulnerability in EPMM that was also exploited in the wild. Just like CVE-2023-38035, its discovery is also credited to researchers at mnemonic.

Proof of concept

On August 23, researchers from the Horizon3 Attack Team published a blog post and a proof-of-concept (PoC) exploit for CVE-2023-35078.

Solution

To remediate this vulnerability, Ivanti has released RPM Package Manager scripts for supported versions.

For more information on how to use the RPM scripts, please refer to the Resolution section of Ivanti’s knowledge base article.

While Ivanti recommends upgrading to resolve this issue, they do offer mitigation guidance of ensuring that port 8443 is not internet accessible by blocking external access with a firewall. While this is not a complete resolution, it is recommended to only be used if patching is not an option. We strongly recommend upgrading as soon as possible.

Identifying affected systems

A list of Tenable plugins to identify can be located on the individual CVE page for CVE-2023-38035 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Additionally, customers can utilize the following plugins to identify Ivanti Sentry assets within their environments:

• Plugin ID 180021: Ivanti Sentry System Manager Portal Detection
• Plugin ID 180099: Ivanti Sentry Detection

Customers using Tenable Attack Surface Management (formerly Tenable.asm) have access to a new subscription as shown in the screenshot below:

Get more information

• Ivanti Blog Post: CVE-2023-38035 - Vulnerability affecting Ivanti Sentry
• Ivanti Article 000087498: CVE-2023-38035 – API Authentication Bypass on Sentry Administrator Interface
• Ivanti Resolution and Mitigation Guidance for CVE-2023-38035

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.