Ivanti has released a patch to an actively exploited API Authentication Bypass vulnerability. CVE-2023-38035 has been given a high severity rating with a CVSS score of 9.8. The vulnerability may allow an unauthenticated actor to access sensitive APIs configuring the Ivanti Sentry on the administrator portal.
Ivanti has mentioned in the advisory that they are aware of a limited number of customers impacted by CVE-2023-38035.
CISA has also acknowledged the CVE-2023-38053 by adding it to its Known Exploited Vulnerabilities Catalog. CISA has requested users to patch the vulnerability before September 12, 2023.
Ivanti Sentry is a server that acts as a gatekeeper between mobile devices and an organization’s ActiveSync server, such as a Microsoft Exchange Server, or with a backend resource, such as a SharePoint server. Ivani Sentry can be configured as a Kerberos Key Distribution Center Proxy (KKDCP) server. Ivanti Endpoint Manager Mobile (EPMM) is the platform from which Sentry obtains configuration and device data.
Vulnerability Description
The vulnerability originates from an insufficiently restrictive Apache HTTPD configuration within the MICS Admin Portal. This flaw would enable an unauthenticated attacker to bypass authentication controls on the administrative interface.
An unauthenticated attacker who successfully exploits this vulnerability would be able to read and write files to the Ivanti Sentry server and execute OS commands as a system administrator (root) using “super user do” (sudo).
The vendor advisory suggests that only a few API endpoints in the System Manager Portal, also known as MICS (MobileIron Configuration Service), which runs on port 8443 by default, are vulnerable to exploitation.
To access port 8443, an attacker is required to gain internal access if it is not exposed to the internet. To communicate with the Ivanti EPMM server, an attacker must access the vulnerable System Manager Portal.
Therefore, CVE-2023-35078 and CVE-2023-35081 can be used to exploit CVE-2023-38035.
The advisory states, “The vulnerability does not impact other Ivanti products, such as Ivanti EPMM (Endpoint Manager Mobile) or Ivanti Neurons for MDM.”
Affected Versions
The vulnerability affects Ivanti Sentry Supported Versions 9.18, 9.17, 9.16, and prior.
Mitigation
Ivanti has released RPM scripts for all supported versions to patch the vulnerability.
Please refer to the Knowledge Base Article for more information regarding accessing and applying the remediations.
Note: Deploying an incorrect RPM script might hinder the remediation process or even lead to system instability.
Qualys Detection
Qualys customers can scan their devices with QID 730875 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface?language=en_US
https://forums.ivanti.com/s/article/KB-API-Authentication-Bypass-on-Sentry-Administrator-Interface-CVE-2023-38035?language=en_US