CVE-2023-38035: Ivanti Sentry API Authentication Bypass Vulnerability Being Exploited in the Wild

CVE-2023-38035

Ivanti, a US-based IT software company, has warned customers that a critical vulnerability in its Sentry API is being exploited in the wild. The vulnerability, tracked as CVE-2023-38035, allows unauthenticated attackers to gain access to sensitive admin portal configuration APIs exposed over port 8443.

At its core, Ivanti Sentry, previously known as MobileIron Sentry, is an integral player in many a corporate digital ecosystem. It’s not just a gatekeeper for heavyweight platforms like Microsoft Exchange Server or backend juggernauts such as Sharepoint in MobileIron deployments. Its versatility extends to functioning as a Kerberos Key Distribution Center Proxy (KKDCP) server.

CVE-2023-38035

With a staggering CVSS score of 9.8, the CVE-2023-38035 vulnerability pertains to the MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below. The root cause? An insufficiently guarded Apache HTTPD configuration, which allows would-be attackers an unchecked gateway to bypass authentication controls on the administrative interface.

This security flaw potentially grants unauthenticated attackers unprecedented access to the highly sensitive admin portal configuration APIs on port 8443, specific to the MobileIron Configuration Service (MICS). It’s imperative to note that this particular vulnerability does not extend to other Ivanti stalwarts such as Ivanti EPMM or Ivanti Neurons for MDM.

Once inside, attackers can potentially reconfigure settings, execute system commands, or write files onto the system. To put it bluntly, the sanctity of the system stands compromised.

In their official statement, Ivanti was categorical in its recommendation: “Customers should insulate MICS access to internal management networks and staunchly resist any exposure to the internet.

The silver lining amidst this cloud is Ivanti’s swift response. A security patch addressing this vulnerability was promptly rolled out on a Monday, following its discovery. Furthermore, as of their last communication, Ivanti stated that the vulnerability impacted only a “limited number of customers.