Ivanti Sentry logo

[updated] Ivanti Sentry critical vulnerability—don’t play dice, patch

Ivanti has published a security blog post about a vulnerability in Ivanti Sentry, formerly MobileIron Sentry. Successful exploitation of the vulnerability would enable an unauthenticated attacker to access some sensitive APIs that are used to configure Ivanti Sentry on the administrator portal (commonly, MICS).

Ivanti Sentry is a gateway technology that allows organizations to manage, encrypt, and protect traffic between mobile devices and backend systems. The technology helps organizations to securely access enterprise applications and devices using personally owned and corporate-issued mobile devices.

This vulnerability impacts all supported versions (Versions 9.18. 9.17 and 9.16). Older versions are also at risk. This vulnerability does not affect other Ivanti products or solutions, such as Ivanti EPMM, MobileIron Cloud or Ivanti Neurons for MDM.

Ivanti has made RPM scripts available now for all supported versions. It recommends customers first upgrade to a supported version and then apply the RPM script specifically designed for their version. More detailed information is available in this Security Advisory. Each script is customized for a single version and if the wrong RPM script is applied it may prevent the vulnerability from being remediated or cause system instability.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE patched in this update is CVE-2023-38035, which has a CVSS score of 9.8 out of 10. It’s described as a security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.

A remote, unauthenticated attacker could exploit this vulnerability to change configuration files, run system commands, or write files to the system.

Reportedly, Ivanti customers have seen exploitation of CVE-2023-38035 in Sentry when port 8443 is exposed to the Internet. Port 8443 is commonly used for HTTPS (encrypted) web traffic. Users that are not ready to update to a supported version or don’t have the opportunity to run the script, are advised to close port 8443.

Ivanti recommends that customers restrict access to MICS to internal management networks and not expose this to the internet, which would then require any attacker to gain internal access first.

While we are not completely sure if this vulnerability is used in the wild, two previous vulnerabilities in Ivanti Endpoint Manager Mobile Authentication (EPMM) listed as CVE-2023-35078 and CVE-2023-35081were both subject to active exploitation.

Update August 25, 2023 

Ivanti warned customers that the critical Sentry API authentication bypass vulnerability is being exploited in the wild.

“As of now, we are only aware of a limited number of customers impacted by CVE-2023-38035. This vulnerability does not affect other Ivanti products or solutions, such as Ivanti EPMM, MobileIron Cloud or Ivanti Neurons for MDM.”

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.