Threat Name: Ivanti/MobileIron Sentry Authentication Bypass Vulnerability (CVE-2023-38035)
CVE-2023-38035 allows an unauthenticated attacker to access sensitive admin configuration APIs on versions 9.18 and prior of Ivanti Sentry over port 8443. These configuration APIs are then used by the MobileIron Configuration Service (MICS), which upon successful exploitation, could lead to remote code execution with root permissions and configuration changes to MICS.
Exploiting this vulnerability is only possible via internal access by a threat actor or if the MICS is configured on a port exposed to the internet. If the threat actor does not have access to this service initially, then this vulnerability can be chained with two other vulnerabilities in Ivanti Endpoint Manager Mobile (CVE-2023-35078 and CVE-2023-35081) to lead to the successful exploitation of this Ivanti Sentry authentication bypass.
While the Lumifi content library contains many detections that would alert on a variety of theoretical attack paths that could spawn from this vulnerability, there currently isn’t enough information regarding the exact mechanism of exploitation to reliably detect this vulnerability. As such, Lumifi recommends restricting access to Ivanti Sentry to a management network only IT administrators can access and ensure that the System Manager Portal (on port 8443 by default) is not exposed to external networks. Additionally, any vulnerable versions should be patched via the RPM scripts available on Ivanti’s KB (https://forums.ivanti.com/s/article/KB-API-Authentication-Bypass-on-Sentry-Administrator-Interface-CVE-2023-38035?language=en_US).