A critical zero-day vulnerability in Ivanti Sentry has been disclosed by Ivanti, making it the third such case in the past month. The flaw, known as CVE-2023-38035, impacts Ivanti Sentry versions 9.18 and below, and has received a critical Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10. Ivanti Sentry is used to secure data between mobile devices and corporate systems as part of the Unified Endpoint Management Solutions platform.
The vulnerability was reported by cybersecurity company Mnemonic, who discovered it in the MobileIron Configuration Service administrative portal, also referred to as port 8443. Ivanti has issued a security advisory urging customers to upgrade to the fixed versions and apply the RPM scripts provided. Each script is customized for a specific version. Exploitation of the vulnerability could allow an unauthenticated attacker to access sensitive APIs used for configuring Ivanti Sentry on port 8443.
Further details about the vulnerability were revealed in two other posts on Monday. In one blog post, Ivanti mentioned that while the CVE-2023-38035 issue has a high CVSS score, there is a low risk of exploitation for customers who do not expose port 8443 to the internet. Ivanti also released a knowledge base (KB) article discussing the vulnerability in more detail. The KB emphasized the importance of taking port 8443 offline because exploitation is only possible through the System Manager Portal.
According to Ivanti, a limited number of customers have been affected by active exploitation of CVE-2023-38035. The company’s analysis suggests that the flaw is not part of a supply chain attack, and Ivanti itself has not been compromised as a result of the vulnerability. However, addressing the vulnerability may not be straightforward. Ivanti warned customers that using the incorrect RPM script for their version could prevent the flaw from being remediated or potentially cause system instability.
One known issue highlighted by Ivanti is that customers using the Sentry 9.16 version may encounter an error message stating, “Unable to save the configuration” after entering the reload command. In such cases, Ivanti recommends trying the reload command again and contacting support if the issue persists. The extent of the impact on customers and the overall remediation process remains unclear.
As a quick fix, Ivanti recommends blocking external access to Sentry on port 8443 through the firewall and restricting port access to IT administrators only. The KB article also mentions two other recently discovered zero-day vulnerabilities, CVE-2023-35078 and CVE-2023-35081, affecting Ivanti Endpoint Manager Mobile (EPMM). The most critical vulnerability, CVE-2023-35078, was disclosed in late July and received a CVSS score of 10 out of 10. These vulnerabilities were exploited by attackers to target the Norwegian government’s Departments’ Security and Service and Organization in late August.
Despite the three vulnerabilities being actively exploited within a month of each other, Ivanti clarifies that CVE-2023-38035 specifically impacts Ivanti Sentry and not EPMM. The company states that CVE-2023-38035 was exploited after CVE-2023-35078 and CVE-2023-35081. On Tuesday, CVE-2023-38035 was added to CISA’s Known Exploited Vulnerabilities Catalog, alongside CVE-2023-35078 and CVE-2023-35081, indicating the need for enterprises to prioritize remediation.
Overall, the disclosure of the critical zero-day vulnerability CVE-2023-38035 in Ivanti Sentry highlights the ongoing challenges and risks associated with maintaining secure enterprise systems. Companies like Ivanti must promptly address and remediate these vulnerabilities to protect their customers’ data and systems from potential exploitation by malicious actors.