Ivanti has released a security patch to address a critical vulnerability in its Sentry security gateway product. The vulnerability, identified as CVE-2023-38035, is present in the interface that administrators use to set security policies and allows attackers to bypass authentication controls. This flaw affects all supported Sentry versions (918, 9.17, and 9.16), with older, unsupported versions also at risk.
If the vulnerability is exploited, it would enable an unauthenticated actor to access sensitive APIs used to configure Ivanti Sentry on the administrator portal (port 8443, commonly MICS), according to the company's statement. Successful exploitation could lead to unauthorized changes to the gateway's configuration, execution of system commands, and writing of arbitrary files on the system.
Ivanti has advised organizations to limit access to the administrator portal to internal management networks only and not to the Internet as a risk mitigation measure. The vulnerability has been given a severity rating of 9.8 out of a possible 10, indicating its critical nature. However, Ivanti states that the flaw poses minimal risk for organizations that do not expose port 8443 — for HTTPS or SSL encrypted web traffic — to the Internet.
While there have been media reports of the CVE-2023-38035 being actively exploited at the time of Ivanti's disclosure, the company has not confirmed these claims. The company has also not provided information on the number of customers potentially compromised by this vulnerability, instead referring to a blog and advisory published on the issue.
Ivanti has stated it is aware of only a 'very limited number of customers' being impacted by the vulnerability. Ivanti Sentry, formerly known as MobileIron Sentry, is part of Ivanti's broader portfolio of Unified Endpoint Management products. It serves as a gateway technology that enables organizations to manage, encrypt, and protect traffic between mobile devices and backend systems.
This is not the first time Ivanti has had to deal with vulnerabilities in its products. Last month, attackers exploited a remote API access vulnerability in the Ivanti Endpoint Manager (CVE-2023-35078) to breach systems of 12 Norwegian government agencies, leading to data theft, configuration changes, and admin account additions. Earlier this month, Ivanti disclosed another bug (CVE-2023-32560) in its Avalanche mobile management technology.
Ivanti has credited security vendor mnemonic for reporting the latest bug and states that it acted swiftly to address the issue by making RedHat Package Manager (RPM) scripts available for all supported versions. The company has warned that installing the incorrect RPM script could prevent the vulnerability from being remediated or cause system instability.