Table of Contents
  • Home
  • /
  • Blog
  • /
  • How to Fix CVE-2023-38035- API Authentication Bypass Vulnerability on Ivanti Sentry Administrator Interface?
August 23, 2023

How to Fix CVE-2023-38035- API Authentication Bypass Vulnerability on Ivanti Sentry Administrator Interface?

How To Fix Cve 2023 38035 Api Authentication Bypass Vulnerability On Ivanti Sentry Administrator Interface

Recently, a critical authentication bypass vulnerability was discovered in Ivanti Sentry by security researchers at mnemonic. This vulnerability tracked as CVE-2023-38035, could allow an unauthenticated threat actor to bypass authentication controls and make unauthorized changes to the Ivanti Sentry server configuration.

Ivanti Sentry, formerly known as MobileIron Sentry, acts as a gateway between mobile devices and backend resources like Microsoft Exchange or SharePoint servers. It works together with Ivanti Endpoint Manager Mobile (EPMM) platform to enforce security policies on managed devices.

On August 21, 2023, mnemonic disclosed the discovery of a high severity vulnerability in Ivanti Sentry that received a CVSS score of 9.8. If successfully exploited, this flaw could enable network-level attackers to bypass authentication and gain privileged remote access to the Sentry appliance.

In this blog, we will summarize everything about this zero-day vulnerability – its root cause, affected versions, potential impact, and most importantly, how to fix CVE-2023-38035, an API authentication bypass vulnerability on Ivanti Sentry admin instances.

A Short Note About Ivanti Sentry and Ivanti Endpoint Manager Mobile (EPMM) Platform

Ivanti Sentry is a key component of the Ivanti Unified Endpoint Management (UEM) solution. It functions as a policy enforcement point that ensures only authorized and compliant devices can access corporate resources like email, apps or data.

The Sentry server acts as a gateway that sits between managed mobile devices and backend systems like Microsoft Exchange. All traffic from mobile devices flows through Sentry, which blocks non-compliant devices and enforces security policies based on context.

For example, Sentry can restrict access to internal apps and emails when a device is off the corporate network. This helps prevent data leakage in case of device theft or loss.

Sentry works together with the Ivanti Endpoint Manager Mobile (EPMM) platform. EPMM is the administrative console used by IT teams to configure and manage their Sentry deployment.

It enables features like:

  • Automated policy push to Sentry

  • Centralized monitoring and reporting

  • Over-the-air profile updates

  • Secure email access controls

EPMM integrates Sentry with other Ivanti solutions like the enterprise mobility management (EMM) and identity management (IdM) suites. Together, they provide a complete UEM platform for securing and managing endpoints.

Summary of CVE-2023-38035

The vulnerability stemmed from an improperly restricted Apache HTTP server running on port 8443 that exposed some sensitive APIs. These APIs are used by the System Manager Portal (MICS) to communicate and configure the Sentry server.

Due to a misconfiguration issue, the APIs could be accessed by an unauthenticated attacker on the network. Successful exploitation allows the attacker to remotely execute system commands as root and make unauthorized changes to the Sentry configuration.

While direct exploitation requires network access, CVE-2023-38035 can also be exploited after compromising Ivanti EPMM using other vulnerabilities like CVE-2023-35078 and CVE-2023-35081.

Ivanti Sentry Versions Affected by CVE-2023-38035

Ivanti has confirmed that the authentication bypasses vulnerability impacts:

  • All currently supported Sentry versions:

    • 9.18

    • 9.17

    • 9.16

  • Older unsupported Sentry versions and releases

This indicates the flaw has existed in the product for several version releases.

Supported versions are still installed widely as part of enterprise UEM deployments. Older unsupported versions may still be in use by organizations that have skipped upgrades.

Therefore, any organization using Ivanti Sentry should check their specific installed version and take appropriate steps to mitigate this vulnerability.

How to Fix CVE-2023-38035- API Authentication Bypass Vulnerability on Ivanti Sentry Administrator Interface?

Ivanti has released customized RPM packages for each supported Sentry version to address this vulnerability:

For Supported Versions

Install the appropriate RPM package:

Ivanti has provided the following RPM packages to fix the vulnerability in supported versions:

  • Sentry 9.18 – sentry-security-update-9.18.0-3.noarch.rpm

  • Sentry 9.17 – sentry-security-update-9.17.0-3.noarch.rpm

  • Sentry 9.16 – sentry-security-update-9.16.0-3.noarch.rpm

To install the correct RPM package on your version of Sentry:

  1. Use SSH to log in to the Sentry server CLI as the admin user

  2. Switch to privileged EXEC mode using the enable command

  3. Install the RPM with install rpm url[rpm_package_name]

  4. Run reload to restart Sentry and apply the update

Step-by-Step Procedure to Download and Install the RPM packages on Ivanti Sentry to Fix the CVE-2023-38035 vulnerability?

Follow these steps to download and install the correct RPM package for your version of Ivanti Sentry:

Step-by-Step Procedure to Download and Install the RPM packages on Ivanti Sentry to Fix the CVE-2023-38035 vulnerability?

Step 1. Identify your Sentry server version

Log into the Sentry server CLI and run show version
Note down the full version number, e.g. 9.18.0, 9.17.0, 9.16.0

Step 2. Download the RPM package

Navigate to the RPM file for your Sentry version:1. Sentry 9.18 –
2. Sentry 9.17 –
3. Sentry 9.16 –

Or, directly run the below commands. This not just downloads the RPM packages but also install on the appliances.

Note: This requires an internet connection to the domain Ensure you have whitelisted the domain in your network firewall or web proxy.

1. 9.18: Type install rpm url 2. 9.17: Type install rpm url 3. 9.16: Type install rpm url
If you are done with the installation, you can skip the next two steps and move directly to
step #6.

Step 3. Transfer the RPM to Sentry if downloaded

1. Use SCP or WinSCP to transfer the RPM package to your Sentry server2. Place it in a directory like /tmp

Step 4. Log in to Sentry CLI

1. SSH into the Sentry server as the admin user2. Switch to privileged EXEC mode with enable

Step 5. Install the RPM

1. Run install rpm url /tmp/sentry-security-update-<version>-3.noarch.rpm
2. Replace <version> with 9.16, 9.17 or 9.18 as per your Sentry version

Step 6. Restart Sentry services

1. Enter reload to restart services and apply the update2. The Sentry server will reboot

This will install the correct RPM package to address CVE-2023-38035 on your specific version of Ivanti Sentry. It is important to install the correct RPM version. Or else, there may be the chance of remaining unpatched to break down the appliance.

For Unsupported Versions

  • Upgrade to a supported Sentry version, then install the appropriate RPM package

  • Alternatively, apply mitigations:

    • Restrict access to port 8443 from external sources

    • Allow access only via the internal management network

    • Block port 8443 on perimeter firewalls

General Recommendations

  • Do not expose the Sentry management interface (port 8443) to the internet

  • Install the RPM package matching your specific Sentry version

  • Fully upgrade older unsupported versions to 9.16 or above

Following these recommendations will ensure that your Ivanti Sentry servers are no longer vulnerable to CVE-2023-38035.

Bottom Line

CVE-2023-38035 represents a serious authentication bypass risk for organizations using vulnerable versions of Ivanti Sentry, especially if port 8443 is open to untrusted networks.

Ivanti has responded quickly by releasing RPM packages to address this vulnerability on supported platforms. So organizations using Sentry 9.16, 9.17 or 9.18 should prioritize upgrading and applying the appropriate hotfix.

For older unsupported versions, upgrading to a supported release is highly recommended. Alternatively, restricting network access to port 8443 can also prevent external exploitation until you can patch the flaw.

As part of a defense-in-depth strategy, it is also advisable to review the security posture of your entire UEM architecture, including Ivanti EPMM servers, and apply all relevant security updates.

We hope this post helps you know how to fix CVE-2023-38035, an API authentication bypass vulnerability on Ivanti Sentry admin instances. Visit our website, and our social media page on FacebookLinkedInTwitterTelegramTumblrMedium, and Instagram and subscribe to receive updates like this.

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription