Ivanti has issued a patch for an actively exploited authentication bypass vulnerability in Ivanti Sentry (formerly known as MobileIron Sentry), a software component that manages and secures traffic between mobile devices and back-end enterprise systems.
This latest zero-day flaw (CVE-2023-38035) comes after the company in July released fixes for two other actively exploited flaws in Ivanti Endpoint Manager Mobile (or EPMM, formerly known as MobileIron Core), including CVE-2023-35078, a serious authentication bypass vulnerability that was exploited to target a software platform utilized by 12 Norwegian government agencies, and CVE-2023-35081, a path traversal bug that has a lower severity score but can be chained with CVE-2023-35078 in attacks.
Ivanti on Tuesday said it “has been informed that CVE-2023-38035 was exploited after exploiting CVE-2023-35078 and CVE-2023-35081.”
“Ivanti has been informed of the exploitation of a very limited number of customers,” according to the company in a security advisory. “We are unable to discuss the specifics of our customers.”
Further details of the exploitation are not available. Also on Tuesday, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-38035 to its Known Exploited Vulnerabilities Catalog.
According to Ivanti, CVE-2023-38035 impacts versions 9.18 and prior of Ivanti Sentry (including both supported versions and older versions). The flaw could enable an unauthenticated attacker to bypass authentication controls on the administrative interface, allowing them to change configurations, write files onto the system and execute OS commands on the appliance as root.
“If exploited, this vulnerability enables an unauthenticated actor to access some sensitive APIs that are used to configure Ivanti Sentry on the administrator portal (commonly, MICS),” according to Ivanti’s initial advisory on Monday.
Ivanti has created RPM scripts for each supported version of Ivanti Sentry, and is urging customers to apply these scripts. If updating is not possible for customers, the company said that businesses should make sure the firewall blocks external access to Sentry on port 8443, stating that there is a “low risk of exploitation” for customers that do not expose 8443 to the internet.
“Exploitation is only possible through the System Manager Portal, hosted on port 8443 by default. Ivanti does not recommend this being available on the internet,” according to Ivanti. “Where possible, we strongly recommend port 8443 be restricted to a management network that only IT Administrators have access to.”