Organizations using almost any version of the Ivanti Sentry security gateway product might want to immediately apply the security patch that the company released today to address what appears to be a zero-day vulnerability in the technology.
The vulnerability, tracked as CVE-2023-38035, is present in the interface that administrators use to configure security policies and gives attackers a way to bypass authentication controls. The flaw affects all supported Sentry versions (9.18, 9.17, and 9.16). Older, non-supported versions and releases of Sentry are also at risk of exploit via the vulnerability.
Unauthenticated Access
“If exploited, this vulnerability enables an unauthenticated actor to access some sensitive APIs that are used to configure the Ivanti Sentry on the administrator portal (port 8443, commonly MICS),” the vendor said in a statement.
An attacker that successfully exploits the bug can change the gateway’s configuration, execute system commands, and write arbitrary files on the system. To mitigate risk, organizations should restrict access to the administrator portal to only internal management networks and not to the Internet, Ivanti said.
The bug has a severity rating of 9.8 out of a possible 10, making it a critical issue. However, according to Ivanti, the flaw poses little risk for organizations that do not expose port 8443 — for HTTPS or SSL encrypted Web traffic — to the Internet.
At least one media report described attackers as already exploiting CVE-2023-38035 at the time Ivanti disclosed the flaw, which by definition would make it a zero-day bug.
Ivanti itself did not directly respond to a Dark Reading request for confirmation of that characterization. Neither did it respond to a question seeking information on how many customers the attacker might have compromised so far. Instead, the company pointed to a blog post and an advisory that it published today on the vulnerability. Neither made any mention of active exploit activity targeting the flaw.
In a brief, two-sentence statement, Ivanti said it was aware of only a “very limited number of customers” being impacted by the vulnerability.
Attractive Target
Ivanti Sentry, formerly MobileIron Sentry, is part of Ivanti’s broader portfolio of Unified Endpoint Management products. It’s a gateway technology that allows organizations to manage, encrypt, and protect traffic between mobile devices and backend systems. Ivanti itself describes Sentry as serving as a sort of gatekeeper to an organization’s Microsoft Exchange Server or other ActiveSync server or with backend systems such as Sharepoint server. Sentry can also be used as a Kerberos Key Distribution Center Proxy (KKDCP) server.
Many companies have deployed such technologies in recent years to ensure remote workers can securely access enterprise applications and devices using personally owned and corporate-issued mobile devices. Their growing use has attracted increasing attention from security researchers and attackers. Just last month, for instance, attackers broke into systems belonging to 12 Norwegian government agencies after finding and exploiting a remote API access vulnerability in the Ivanti Endpoint Manager. The bug, tracked as CVE-2023-35078, allowed attackers to access and steal data, change device configuration information, and add an admin account. Earlier this month, Ivanti disclosed another bug (CVE-2023-32560), this time in its Avalanche mobile management technology after Trend Micro’s Zero-Day Initiative reported the bug to the company.
Ivanti credited researchers at security vendor mnemonic for reporting the newest bug to the company. The company claimed it acted immediately to address the problem and have RedHat Package Manager (RPM) scripts available for all supported versions as soon as possible. The RPM scripts are customized for each version and organizations need to pay attention to which one they install in their environment, Ivanit warned. “If the wrong RPM script is applied it may prevent the vulnerability from being remediated or cause system instability,” the company noted.