A zero-day vulnerability has been discovered in the Ivanti Sentry security gateway product, prompting organizations using the technology to apply a security patch immediately. The vulnerability, known as CVE-2023-38035, affects the interface used by administrators to configure security policies and allows attackers to bypass authentication controls. This flaw is present in all supported Sentry versions, as well as older versions and releases that are no longer supported.
If exploited, the vulnerability enables an unauthenticated actor to access sensitive APIs that are used to configure the Ivanti Sentry on the administrator portal. Attackers who successfully exploit the bug can change the gateway’s configuration, execute system commands, and write arbitrary files on the system. To mitigate this risk, organizations are advised to restrict access to the administrator portal to internal management networks only, rather than allowing access from the Internet.
The severity rating of this vulnerability is 9.8 out of a possible 10, indicating that it is a critical issue. However, Ivanti has stated that organizations that do not expose port 8443, which is commonly used for HTTPS or SSL encrypted web traffic, to the Internet are at little risk. Despite this reassurance, at least one media report suggests that attackers have already been exploiting CVE-2023-38035, making it a zero-day bug.
When asked to confirm the exploitation and provide information on the number of compromised customers, Ivanti did not respond directly. Instead, the company referred to a blog and advisory published today, neither of which mentioned active exploit activity targeting the vulnerability. Ivanti simply stated that only a “very limited number of customers” have been impacted by the vulnerability.
Ivanti Sentry, previously known as MobileIron Sentry, is part of Ivanti’s Unified Endpoint Management product portfolio. It functions as a gateway technology, allowing organizations to manage, encrypt, and protect traffic between mobile devices and backend systems. Sentry acts as a gatekeeper to Microsoft Exchange Server, ActiveSync servers, and Sharepoint servers, and can also serve as a Kerberos Key Distribution Center Proxy server.
The increasing use of gateway technologies like Sentry has caught the attention of security researchers and attackers alike. Just last month, attackers exploited a remote API access vulnerability in Ivanti Endpoint Manager and targeted 12 Norwegian government agencies. This attack allowed the attackers to access and steal data, change device configurations, and add an admin account. Ivanti has also recently disclosed another bug in its Avalanche mobile management technology after being alerted by Trend Micro’s Zero-Day Initiative.
The discovery of this vulnerability was credited to researchers at security vendor mnemonics. Ivanti promptly addressed the issue and made RedHat Package Manager scripts available for all supported versions. However, organizations must be careful to install the correct RPM script for their environment to avoid system instability or the inability to remediate the vulnerability, as cautioned by Ivanti.
In conclusion, organizations using Ivanti Sentry should apply the security patch immediately to mitigate the risk posed by the CVE-2023-38035 vulnerability. Taking the necessary steps to restrict access to the administrator portal and ensuring the correct RPM script is installed will help protect against potential exploitation. Continued vigilance and prompt response to software vulnerabilities are crucial in today’s evolving threat landscape.