Critical Ivanti Sentry Bug Abused as Zero-Day: Exploit Released

August 24, 2023

An exploit code for a critical authentication bypass vulnerability in Ivanti Sentry is now available. The vulnerability, identified as CVE-2023-38035, was discovered by cybersecurity firm mnemonic. It stems from an Apache HTTPD configuration that is not sufficiently restrictive, allowing threat actors to access sensitive Sentry administrator interface APIs. Successful exploitation of this vulnerability could allow them to execute system commands or write files onto systems running Ivanti Sentry versions 9.18 and below.

Horizon3, an attack surface assessment company, has published a technical root cause analysis of this high-severity vulnerability, along with a proof-of-concept (PoC) exploit. James Horseman, a vulnerability researcher at Horizon3, stated, "This POC abuses an unauthenticated command injection to execute arbitrary commands as the root user." He further advised affected users to patch their systems and ensure they are not exposed to the internet if possible.

Ivanti has provided detailed information on how to apply the Sentry security updates in a knowledgebase article. The company confirmed that some of its customers were impacted by CVE-2023-38035 attacks and advised administrators to restrict access to the internal network. However, a Shodan search revealed that more than 500 Ivanti Sentry instances are currently exposed online.

The Cybersecurity and Infrastructure Security Agency (CISA) added the security flaw to its Known Exploited Vulnerabilities Catalog on Tuesday, instructing federal agencies to secure their systems by September 14. Since April, state-affiliated hackers have exploited two other security vulnerabilities in Ivanti's Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. The severe authentication bypass flaw, CVE-2023-35078, was used as a zero-day exploit to infiltrate multiple government organizations in Norway.

Just a week ago, Ivanti patched another pair of critical stack-based buffer overflows, collectively referred to as CVE-2023-32560, within its Avalanche enterprise mobility management (EMM) solution. Successful attacks could result in system crashes and arbitrary execution of code.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.