Threat Brief: Ivanti/MobileIron Sentry Authentication Bypass Vulnerability (CVE-2023-38035)

Threat Brief: Ivanti/MobileIron Sentry Authentication Bypass Vulnerability (CVE-2023-38035)

Threat Name: Ivanti/MobileIron Sentry Authentication Bypass Vulnerability (CVE-2023-38035)

Threat Summary:

CVE-2023-38035 allows an unauthenticated attacker to access sensitive admin configuration APIs on versions 9.18 and prior of Ivanti Sentry over port 8443. These configuration APIs are then used by the MobileIron Configuration Service (MICS), which upon successful exploitation, could lead to remote code execution with root permissions and configuration changes to MICS.

Lumifi’s Analysis:

Exploiting this vulnerability is only possible via internal access by a threat actor or if the MICS is configured on a port exposed to the internet. If the threat actor does not have access to this service initially, then this vulnerability can be chained with two other vulnerabilities in Ivanti Endpoint Manager Mobile (CVE-2023-35078 and CVE-2023-35081) to lead to the successful exploitation of this Ivanti Sentry authentication bypass.

Lumifi’s Recommendations:

While the Lumifi content library contains many detections that would alert on a variety of theoretical attack paths that could spawn from this vulnerability, there currently isn’t enough information regarding the exact mechanism of exploitation to reliably detect this vulnerability. As such, Lumifi recommends restricting access to Ivanti Sentry to a management network only IT administrators can access and ensure that the System Manager Portal (on port 8443 by default) is not exposed to external networks. Additionally, any vulnerable versions should be patched via the RPM scripts available on Ivanti’s KB (https://forums.ivanti.com/s/article/KB-API-Authentication-Bypass-on-Sentry-Administrator-Interface-CVE-2023-38035?language=en_US).

Referenced Article(s):

https://www.bleepingcomputer.com/news/security/ivanti-warns-of-new-actively-exploited-mobileiron-zero-day-bug/

https://thehackernews.com/2023/08/ivanti-warns-of-critical-zero-day-flaw.html

https://www.mnemonic.io/resources/blog/threat-advisory-remote-code-execution-vulnerability-in-ivanti-sentry/

Chandler Emhoff

Chandler Emhoff

Chandler Emhoff is an information security professional with 8 years of experience in an array of different roles. He started as an ethical hacker with a focus on social engineering and black-box network intrusion and since has pivoted to both blue and purple team roles. Today he has been a Threat Content Developer and Detection Engineer for Lumifi Cyber for 2 years and has been integral in MITRE ATT&CK framework mapping, threat research, and porting scans to our ShieldVision platform.

SHARE:
Facebook
Twitter
LinkedIn
Email

Stay Informed

Subscribe now to receive timely threat intelligence updates and stay ahead of evolving cyber threats.