0-Day In Ivanti’s Sentry Gateway Actively Exploited

IT software company Ivanti has disclosed another security issue, this time a zero-day vulnerability in its Ivanti Sentry gateway which is being actively exploited in the wild.

In a security advisory published on Monday, Ivanti said it was aware of only “a limited number of customers” being impacted by the bug, which has a critical CVSS rating of 9.8 and is being tracked as CVE-2023-38035.

Ivanti Sentry (previously known as MobileIron Sentry) serves as a gatekeeper between mobile devices and a company’s ActiveSync server, such as a Microsoft Exchange Server.

“If exploited, this vulnerability enables an unauthenticated actor to access some sensitive APIs that are used to configure the Ivanti Sentry on the administrator portal (port 8443, commonly MICS),” the company said in its advisory. (MICS is the MobileIron Configuration Service.)

“Successful exploitation can be used to change configuration, run system commands, or write files onto the system. Ivanti recommends that customers restrict access to MICS to internal management networks and not expose this to the internet.”

Ivanti added that while the vulnerability had a high CVSS score, there was a low risk of exploitation for customers who do not expose port 8443 to the internet.

Researchers at mnemonic, who discovered the vulnerability, explained in a blog post that Sentry gets configuration and device information from the Ivanti Endpoint Manager Mobile (EPMM) platform.

“Successful exploitation allows an unauthenticated threat actor to read and write files to the Ivanti Sentry server and execute OS commands as system administrator (root) through use of ‘super user do’ (sudo),” the researchers wrote.

The EPMM platform has itself been exposed to two high profile critical vulnerabilities over the past month, one of which was exploited in an attack on 12 ministries within the Norwegian government.

“Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices,” the Cybersecurity and Infrastructure Security Agency (CISA) said in an August 1 advisory about the two Ivanti EPMM vulnerabilities.

CISA has added both EPMM vulnerabilities (CVE-2023-35078 and CVE-2023-35081) to its Known Exploited Vulnerabilities Catalog, meaning all U.S. Federal Civilian Executive Branch government agencies are required to remediate them.

Ivanti said the newly discovered Sentry vulnerability did not affect any of its other products, including Ivanti EPMM.

The company has developed security updates, available as RPM scripts, to address the Sentry vulnerability, which impacts all currently supported versions of the solution (versions 9.18. 9.17 and 9.16).

“We recommend customers first upgrade to a supported version and then apply the RPM script specifically designed for their version,” Ivanti said.

Last week Tenable published details of critical vulnerabilities in the Ivanti Avalanche enterprise mobile device management system, which the security firm identified and reported in April.

Tenable said one of its researchers discovered multiple stack-based buffer overflows in Ivanti Avalanche WLAvanacheServer.exe v6.4.0.0. Ivanti has addressed the issue with the release of Avalanche version 6.4.1, which also included fixes for six other vulnerabilities.

READ MORE HERE