Ivanti, a US-based IT software firm, has alerted its users about a severe vulnerability in its Sentry API that is currently being exploited in real-time. The vulnerability, identified as CVE-2023-38035, allows attackers who have not been authenticated to access sensitive administrative portal configuration APIs via port 8443.
Ivanti Sentry, formerly known as MobileIron Sentry, is a crucial part of many corporate digital ecosystems. It serves as a gatekeeper for major platforms like Microsoft Exchange Server and backend powerhouses like Sharepoint in MobileIron deployments. It also functions as a Kerberos Key Distribution Center Proxy (KKDCP) server.
The vulnerability, CVE-2023-38035, has a high CVSS score of 9.8 and affects the MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and lower. The issue arises from an inadequately protected Apache HTTPD configuration, which provides attackers with an unrestricted pathway to bypass the authentication controls on the admin interface. This security flaw potentially gives unauthenticated attackers unparalleled access to the sensitive admin portal configuration APIs on port 8443, specific to the MobileIron Configuration Service (MICS). Importantly, this vulnerability does not affect other Ivanti products like Ivanti EPMM or Ivanti Neurons for MDM.
Once inside the system, attackers can potentially alter settings, execute system commands, or write files onto the system, compromising the integrity of the system. In their official statement, Ivanti strongly recommended that “Customers should insulate MICS access to internal management networks and staunchly resist any exposure to the internet.”
Ivanti has responded swiftly to this issue. A security patch addressing this vulnerability was quickly released following its discovery. In their most recent communication, Ivanti stated that this vulnerability impacted only a 'limited number of customers.'