Ivanti Sentry exploited in the wild, patches emitted

A critical authentication bypass bug in MobileIron Sentry has been exploited in the wild, its maker Ivanti said in an advisory on Monday.

This vulnerability, tracked as CVE-2023-38035, is a 9.8-of-10 flaw in terms of CVSS severity, and strictly speaking lies within Ivanti Sentry, formerly known as MobileIron Sentry. This is a gateway that manages and encrypts traffic between an organization's mobile devices and back-end systems.

Exploitation of this vuln may result in an intruder gaining control of this sensitive network component. To do so, attackers must be able to reach administrative API port 8443 of a vulnerable Sentry deployment, which may not be public facing. According to Ivanti, a "limited" number of customers have been targeted via this flaw so far.

Miscreants can exploit this hole to bypass authentication on the administrative interface due to an insufficiently restrictive Apache HTTPd configuration. From there, they can access some sensitive admin APIs used to configure Sentry via port 8443. 

"Successful exploitation can be used to change configuration, run system commands, or write files onto the system," the security alert explained. "As of now, we are only aware of a limited number of customers impacted by CVE-2023-38035."

There is some good news. "While the issue has a high CVSS score, there is a low risk of exploitation for customers who do not expose port 8443 to the internet," Ivanti claimed. Ivanti Sentry versions 9.18 and earlier are affected, and the bug does not impact any other Ivanti products, we're told.

"Upon learning of the vulnerability, we immediately mobilized resources to fix the problem and have RPM scripts available now for supported versions. Each script is customized for a single version." The vendor also noted that  applying the wrong script may prevent the issue from being fixed or cause "system instability."

The company declined to answer The Register's specific questions about the security flaw, including how many customers were compromised.

• Prepare for plenty more pain from Ivanti's MDM flaws, warn cyber agencies
• Ivanti plugs critical bug – but not before it was used against Norwegian government
• High severity vuln in WinRAR could allow code to run when files are opened
• FYI: There's another BlackCat ransomware variant on the prowl

Today's advisory is the software vendor's third such alert in less than a month.

In late July, miscreants exploited CVE-2023-35078, another remote authentication bypass flaw in Ivanti Endpoint Manager Mobile (EPMM), to compromise victims 12 Norwegian government agencies at least before the developer issued a fix.

According to the US government's CISA and the Norwegian National Cyber Security Centre, whoever exploited that critical vulnerability spent at least four months snooping around their victims' systems and stealing data before an intrusion was spotted.

The two nations also warned of "potential for widespread exploitation" of Ivanti's software in both government and enterprise networks.

Just days later, Ivanti patched a second EPMM vulnerability, tracked as CVE-2023-35081. 

This bug required an intruder to be logged-in as an administrator to upload arbitrary files to an EPMM web app server. Someone could use this to upload a webshell to a vulnerable server and remotely control the backdoored box, if they able to obtain admin login credentials or escalated privileges via another flaw (the aforementioned CVE-2023-35078, say?)

Neither Ivanti nor any of the government agencies investigating the intrusions have yet to attribute any of these exploits to a nation-state or criminal gang, so far. ®