Recently, a critical authentication bypass vulnerability was discovered in Ivanti Sentry by security researchers at mnemonic. This vulnerability tracked as CVE-2023-38035, could allow an unauthenticated threat actor to bypass authentication controls and make unauthorized changes to the Ivanti Sentry server configuration.
Ivanti Sentry, formerly known as MobileIron Sentry, acts as a gateway between mobile devices and backend resources like Microsoft Exchange or SharePoint servers. It works together with Ivanti Endpoint Manager Mobile (EPMM) platform to enforce security policies on managed devices.
On August 21, 2023, mnemonic disclosed the discovery of a high severity vulnerability in Ivanti Sentry that received a CVSS score of 9.8. If successfully exploited, this flaw could enable network-level attackers to bypass authentication and gain privileged remote access to the Sentry appliance.
In this blog, we will summarize everything about this zero-day vulnerability – its root cause, affected versions, potential impact, and most importantly, how to fix CVE-2023-38035, an API authentication bypass vulnerability on Ivanti Sentry admin instances.
Ivanti Sentry is a key component of the Ivanti Unified Endpoint Management (UEM) solution. It functions as a policy enforcement point that ensures only authorized and compliant devices can access corporate resources like email, apps or data.
The Sentry server acts as a gateway that sits between managed mobile devices and backend systems like Microsoft Exchange. All traffic from mobile devices flows through Sentry, which blocks non-compliant devices and enforces security policies based on context.
For example, Sentry can restrict access to internal apps and emails when a device is off the corporate network. This helps prevent data leakage in case of device theft or loss.
Sentry works together with the Ivanti Endpoint Manager Mobile (EPMM) platform. EPMM is the administrative console used by IT teams to configure and manage their Sentry deployment.
It enables features like:
Automated policy push to Sentry
Centralized monitoring and reporting
Over-the-air profile updates
Secure email access controls
EPMM integrates Sentry with other Ivanti solutions like the enterprise mobility management (EMM) and identity management (IdM) suites. Together, they provide a complete UEM platform for securing and managing endpoints.
CVE ID: CVE-2023-38035
Description: Authentication bypass vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry
CVSS Score: 9.8 (Critical)
The vulnerability stemmed from an improperly restricted Apache HTTP server running on port 8443 that exposed some sensitive APIs. These APIs are used by the System Manager Portal (MICS) to communicate and configure the Sentry server.
Due to a misconfiguration issue, the APIs could be accessed by an unauthenticated attacker on the network. Successful exploitation allows the attacker to remotely execute system commands as root and make unauthorized changes to the Sentry configuration.
While direct exploitation requires network access, CVE-2023-38035 can also be exploited after compromising Ivanti EPMM using other vulnerabilities like CVE-2023-35078 and CVE-2023-35081.
Ivanti has confirmed that the authentication bypasses vulnerability impacts:
All currently supported Sentry versions:
9.18
9.17
9.16
Older unsupported Sentry versions and releases
This indicates the flaw has existed in the product for several version releases.
Supported versions are still installed widely as part of enterprise UEM deployments. Older unsupported versions may still be in use by organizations that have skipped upgrades.
Therefore, any organization using Ivanti Sentry should check their specific installed version and take appropriate steps to mitigate this vulnerability.
Ivanti has released customized RPM packages for each supported Sentry version to address this vulnerability:
Install the appropriate RPM package:
Ivanti has provided the following RPM packages to fix the vulnerability in supported versions:
Sentry 9.18 – sentry-security-update-9.18.0-3.noarch.rpm
Sentry 9.17 – sentry-security-update-9.17.0-3.noarch.rpm
Sentry 9.16 – sentry-security-update-9.16.0-3.noarch.rpm
To install the correct RPM package on your version of Sentry:
Use SSH to log in to the Sentry server CLI as the admin user
Switch to privileged EXEC mode using the enable
command
Install the RPM with install rpm url
https://support.mobileiron.com/ivanti-updates/[rpm_package_name]
Run reload
to restart Sentry and apply the update
Follow these steps to download and install the correct RPM package for your version of Ivanti Sentry:
Step-by-Step Procedure to Download and Install the RPM packages on Ivanti Sentry to Fix the CVE-2023-38035 vulnerability?
Log into the Sentry server CLI and run show version
Note down the full version number, e.g. 9.18.0, 9.17.0, 9.16.0
Navigate to https://support.mobileiron.com/Download the RPM file for your Sentry version:1. Sentry 9.18 – https://support.mobileiron.com/ivanti-updates/sentry-security-update-9.18.0-3.noarch.rpm
2. Sentry 9.17 – https://support.mobileiron.com/ivanti-updates/sentry-security-update-9.17.0-3.noarch.rpm
3. Sentry 9.16 – https://support.mobileiron.com/ivanti-updates/sentry-security-update-9.16.0-3.noarch.rpm
Or, directly run the below commands. This not just downloads the RPM packages but also install on the appliances.
Note: This requires an internet connection to the domain support.mobileiron.com. Ensure you have whitelisted the domain in your network firewall or web proxy.
1. 9.18: Type install rpm url https://support.mobileiron.com/ivanti-updates/sentry-security-update-9.18.0-3.noarch.rpm 2. 9.17: Type install rpm url https://support.mobileiron.com/ivanti-updates/sentry-security-update-9.17.0-3.noarch.rpm 3. 9.16: Type install rpm url https://support.mobileiron.com/ivanti-updates/sentry-security-update-9.16.0-3.noarch.rpm
If you are done with the installation, you can skip the next two steps and move directly to step #6.
1. Use SCP or WinSCP to transfer the RPM package to your Sentry server2. Place it in a directory like /tmp
1. SSH into the Sentry server as the admin user2. Switch to privileged EXEC mode with enable
1. Run install rpm url /tmp/sentry-security-update-<version>-3.noarch.rpm
2. Replace <version> with 9.16, 9.17 or 9.18 as per your Sentry version
1. Enter reload
to restart services and apply the update2. The Sentry server will reboot
This will install the correct RPM package to address CVE-2023-38035 on your specific version of Ivanti Sentry. It is important to install the correct RPM version. Or else, there may be the chance of remaining unpatched to break down the appliance.
Upgrade to a supported Sentry version, then install the appropriate RPM package
Alternatively, apply mitigations:
Restrict access to port 8443 from external sources
Allow access only via the internal management network
Block port 8443 on perimeter firewalls
Do not expose the Sentry management interface (port 8443) to the internet
Install the RPM package matching your specific Sentry version
Fully upgrade older unsupported versions to 9.16 or above
Following these recommendations will ensure that your Ivanti Sentry servers are no longer vulnerable to CVE-2023-38035.
CVE-2023-38035 represents a serious authentication bypass risk for organizations using vulnerable versions of Ivanti Sentry, especially if port 8443 is open to untrusted networks.
Ivanti has responded quickly by releasing RPM packages to address this vulnerability on supported platforms. So organizations using Sentry 9.16, 9.17 or 9.18 should prioritize upgrading and applying the appropriate hotfix.
For older unsupported versions, upgrading to a supported release is highly recommended. Alternatively, restricting network access to port 8443 can also prevent external exploitation until you can patch the flaw.
As part of a defense-in-depth strategy, it is also advisable to review the security posture of your entire UEM architecture, including Ivanti EPMM servers, and apply all relevant security updates.
We hope this post helps you know how to fix CVE-2023-38035, an API authentication bypass vulnerability on Ivanti Sentry admin instances. Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.