August 21, 2023
US-based IT software company Ivanti warned customers today that a critical Sentry API authentication bypass vulnerability is being exploited in the wild.
Ivanti Sentry (formerly MobileIron Sentry) functions as a gatekeeper for enterprise ActiveSync servers like Microsoft Exchange Server or backend resources such as Sharepoint servers in MobileIron deployments, and it can also operate as a Kerberos Key Distribution Center Proxy (KKDCP) server.
Discovered and reported by security researchers at cybersecurity company mnemonic, the critical vulnerability (CVE-2023-38035) enables unauthenticated attackers to gain access to sensitive admin portal configuration APIs exposed over port 8443, used by MobileIron Configuration Service (MICS).
This is possible after they bypass authentication controls by taking advantage of an insufficiently restrictive Apache HTTPD configuration.
Successful exploitation allows them to change configuration, run system commands, or write files onto systems running Ivanti Sentry versions 9.18 and prior.
Ivanti advised admins not to expose MICS to the Internet and restrict access to internal management networks.
"As of now, we are only aware of a limited number of customers impacted by CVE-2023-38035. This vulnerability does not affect other Ivanti products or solutions, such as Ivanti EPMM, MobileIron Cloud or Ivanti Neurons for MDM," Ivanti said.
"Upon learning of the vulnerability, we immediately mobilized resources to fix the problem and have RPM scripts available now for all supported versions. We recommend customers first upgrade to a supported version and then apply the RPM script specifically designed for their version," the company added.
Ivanti provides detailed information on applying the Sentry security updates onto systems running supported versions in this knowledgebase article.
