Ivanti has addressed an issue in its Sentry appliance that could allow unauthenticated attackers to gain access to exposed admin portal configuration APIs. When the bug, now designated CVE-2023-38035, is successfully exploited, it provides attackers with the opportunity to change configurations, run system commands, or write files.
Ivanti Sentry (formerly known as MobileIron Sentry) acts as a gatekeeper for enterprise ActiveSync servers such as Microsoft Exchange and backend resources like Sharepoint. It can also operate as a Kerberos Key Distribution Center Proxy (KKDCP) server.
Ivanti has advised that a limited number of customers have been impacted by CVE-2023-38035, and that the bug is limited to its Sentry appliance. When the vulnerability was responsibly disclosed by security researchers, Ivanti developed and released RPM scripts to secure all supported versions of the appliance.
Source: Bleeping Computer
Analysis
This vulnerability comes soon after Ivanti hastily patched a previous zero-day vulnerability in its Endpoint Manager Mobile (EPMM) appliance. This followed reports that Norwegian organizations and government departments had been breached by actors exploiting said vulnerability. Soon after, the US Cybersecurity and Critical Infrastructure Agency (CISA) issued a warning that state-sponsored actors were exploiting unpatched appliances, allowing threat actors to access API paths containing names, phone numbers, and other information related to mobile devices managed by the appliance.
After successfully exploiting and obtaining valuable information from Ivanti EPMM appliances, it’s likely that threat actors focused their efforts on exploiting other Ivanti appliances in the hopes of obtaining a similar outcome. Fortunately, Ivanti reacts quickly to the discovery of vulnerabilities in its products and develops and releases patches within a short period of time. However, given the recent rise of threat actor interest in its products, Ivanti should dedicate more resources to conducting proactive bug hunting to identify zero-day vulnerabilities before would-be attackers do.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in devices and software like Ivanti Sentry. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified when vulnerable software and devices are detected in their environment and are encouraged to review these AROs as quickly as possible.
Field Effect strongly encourages users of Ivanti’s Sentry appliance to run the appropriate RPM script to as soon as possible.
References