Ivanti Sentry API Authentication Bypass
This live blog contains information regarding a vulnerability in Ivanti Sentry. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on August 25, 2023.
T-Update
This live blog contains information regarding a vulnerability in Ivanti Sentry. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on August 25, 2023.
Update 25 August 2023
12:30 | Cyber security company Horizon3 has published a detailed write-up regarding CVE-2023-38035 including a Proof-of-Concept (POC) exploit. This POC exploit was obtained by reverse engineering a patch that has been made publicly available to fix the vulnerability. For a more technical and in-depth analysis see the post written by Horizon3 which can be found here:
There were no direct indicators of compromise mentioned in the blog. However, any unrecognized HTTP requests to /services/* should be cause for concern as stated by Horizon3. You can check for any suspicious activity by viewing the logs in the web-interface.
Alternatively, using forensic analysis, the access logs in /var/log/tomcat2/ can be used to check which endpoints were accessed on a known exploited system.
As a POC exploit is currently available, we advise to patch as soon as possible using the previously communicated instructions.
If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.
Update 22 August 2023
19:30 | On the 21st of august, Ivanti has released a security blog describing an API authentication bypass. The vulnerability is registered as CVE-2023-38035 and allows an unauthenticated attacker with access to the System Manager Portal to make configuration changes to Sentry and the underlying operating system. The Sentry System Manager Portal (commonly known as MICS, MobileIron Configuration Service) is hosted on port 8443 by default and it is recommended by Ivanti to not expose the portal to the internet.
Exploits of CVE-2023-38035 have been observed in the wild against a small number of customers. This vulnerability does not affect other Ivanti products or solutions, such as Ivanti EPMM (Endpoint Manager Mobile), MobileIron Cloud or Ivanti Neurons for MDM. Ivanti has released software updates. It is highly recommended to apply these security patches as soon as possible.
Background
On the 21st of august, Ivanti has released a security blog describing an API authentication bypass. The vulnerability is registered as CVE-2023-38035 and allows an unauthenticated attacker with access to the System Manager Portal to make configuration changes to Sentry and the underlying operating system. The Sentry System Manager Portal (commonly known as MICS, MobileIron Configuration Service) is hosted on port 8443 by default and it is recommended by Ivanti to not expose the portal to the internet. Exploits of CVE-2023-38035 have been observed in the wild against a small number of customers. This vulnerability does not affect other Ivanti products or solutions, such as Ivanti EPMM (Endpoint Manager Mobile), MobileIron Cloud or Ivanti Neurons for MDM. Ivanti has released software updates. It is highly recommended to apply these security patches as soon as possible.
Risk
The vulnerability CVE-2023-38035 has a CVSS score of 9.8. The CVSS scale runs from 0 to 10.
A score of 9.8 or higher is rare and implies a high risk of exploitation with high impact.
The CVE-2023-38035 vulnerability in Ivanti Sentry allows an unauthenticated attacker with access to the Sentry System Manager Portal (MICS) to make configuration changes to Sentry and the underlying operating system. Successful exploitation can allow the attacker to execute OS commands on the appliance as root.
The Sentry System Manager Portal is hosted on port 8443 by default and it is recommended by Ivanti to not expose the portal to the internet.
Exploits of CVE-2023-35078 have been observed in the wild against a small number of customers. Ivanti recommends upgrading to a supported version and then apply the RPM scripts provided by Ivanti.
Advice
Ivanti Sentry was formerly known as MobileIron Sentry. The following versions of Ivanti Sentry are vulnerable:
- Versions – 9.18, 9.17, and 9.16
- Older versions/releases
We advise to upgrade as soon as possible to one of the following supported versions and apply the RPM script:
- Sentry 9.18
- Sentry 9.17
- Sentry 9.16
The RPM scripts provided by Ivanti can be found here:
If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.
Sources
Sign up to receive T-Updates
Receive the latest vulnerabilities in your email every Wednesday
More than 1,000 organisations have already joined us.
