How to Fix CVE-2023-38035- API Authentication Bypass Vulnerability on Ivanti Sentry Administrator Interface?

Recently, a critical authentication bypass vulnerability was discovered in Ivanti Sentry by security researchers at mnemonic. This vulnerability tracked as CVE-2023-38035, could allow an unauthenticated threat actor to bypass authentication controls and make unauthorized changes to the Ivanti Sentry server configuration.

Ivanti Sentry, formerly known as MobileIron Sentry, acts as a gateway between mobile devices and backend resources like Microsoft Exchange or SharePoint servers. It works together with Ivanti Endpoint Manager Mobile (EPMM) platform to enforce security policies on managed devices.

On August 21, 2023, mnemonic disclosed the discovery of a high severity vulnerability in Ivanti Sentry that received a CVSS score of 9.8. If successfully exploited, this flaw could enable network-level attackers to bypass authentication and gain privileged remote access to the Sentry appliance.

In this blog, we will summarize everything about this zero-day vulnerability – its root cause, affected versions, potential impact, and most importantly, how to fix CVE-2023-38035, an API authentication bypass vulnerability on Ivanti Sentry admin instances.

A Short Note About Ivanti Sentry and Ivanti Endpoint Manager Mobile (EPMM) Platform

Ivanti Sentry is a key component of the Ivanti Unified Endpoint Management (UEM) solution. It functions as a policy enforcement point that ensures only authorized and compliant devices can access corporate resources like email, apps or data.

The Sentry server acts as a gateway that sits between managed mobile devices and backend systems like Microsoft Exchange. All traffic from mobile devices flows through Sentry, which blocks non-compliant devices and enforces security policies based on context.

For example, Sentry can restrict access to internal apps and emails when a device is off the corporate network. This helps prevent data leakage in case of device theft or loss.

Sentry works together with the Ivanti Endpoint Manager Mobile (EPMM) platform. EPMM is the administrative console used by IT teams to configure and manage their Sentry deployment.

It enables features like:

EPMM integrates Sentry with other Ivanti solutions like the enterprise mobility management (EMM) and identity management (IdM) suites. Together, they provide a complete UEM platform for securing and managing endpoints.

Summary of CVE-2023-38035

The vulnerability stemmed from an improperly restricted Apache HTTP server running on port 8443 that exposed some sensitive APIs. These APIs are used by the System Manager Portal (MICS) to communicate and configure the Sentry server.

Due to a misconfiguration issue, the APIs could be accessed by an unauthenticated attacker on the network. Successful exploitation allows the attacker to remotely execute system commands as root and make unauthorized changes to the Sentry configuration.

While direct exploitation requires network access, CVE-2023-38035 can also be exploited after compromising Ivanti EPMM using other vulnerabilities like CVE-2023-35078 and CVE-2023-35081.

Ivanti Sentry Versions Affected by CVE-2023-38035

Ivanti has confirmed that the authentication bypasses vulnerability impacts:

This indicates the flaw has existed in the product for several version releases.

Supported versions are still installed widely as part of enterprise UEM deployments. Older unsupported versions may still be in use by organizations that have skipped upgrades.

Therefore, any organization using Ivanti Sentry should check their specific installed version and take appropriate steps to mitigate this vulnerability.

How to Fix CVE-2023-38035- API Authentication Bypass Vulnerability on Ivanti Sentry Administrator Interface?

Ivanti has released customized RPM packages for each supported Sentry version to address this vulnerability:

For Supported Versions

Install the appropriate RPM package:

Ivanti has provided the following RPM packages to fix the vulnerability in supported versions:

To install the correct RPM package on your version of Sentry:

Step-by-Step Procedure to Download and Install the RPM packages on Ivanti Sentry to Fix the CVE-2023-38035 vulnerability?

Follow these steps to download and install the correct RPM package for your version of Ivanti Sentry:

Step-by-Step Procedure to Download and Install the RPM packages on Ivanti Sentry to Fix the CVE-2023-38035 vulnerability?

Step 1. Identify your Sentry server version

Log into the Sentry server CLI and run show version
Note down the full version number, e.g. 9.18.0, 9.17.0, 9.16.0

Step 2. Download the RPM package

Navigate to https://support.mobileiron.com/Download the RPM file for your Sentry version:1. Sentry 9.18 – https://support.mobileiron.com/ivanti-updates/sentry-security-update-9.18.0-3.noarch.rpm
2. Sentry 9.17 – https://support.mobileiron.com/ivanti-updates/sentry-security-update-9.17.0-3.noarch.rpm
3. Sentry 9.16 – https://support.mobileiron.com/ivanti-updates/sentry-security-update-9.16.0-3.noarch.rpm

Or, directly run the below commands. This not just downloads the RPM packages but also install on the appliances.

Note: This requires an internet connection to the domain support.mobileiron.com. Ensure you have whitelisted the domain in your network firewall or web proxy.

1. 9.18: Type install rpm url https://support.mobileiron.com/ivanti-updates/sentry-security-update-9.18.0-3.noarch.rpm 2. 9.17: Type install rpm url https://support.mobileiron.com/ivanti-updates/sentry-security-update-9.17.0-3.noarch.rpm 3. 9.16: Type install rpm url https://support.mobileiron.com/ivanti-updates/sentry-security-update-9.16.0-3.noarch.rpm
If you are done with the installation, you can skip the next two steps and move directly to step #6.

Step 3. Transfer the RPM to Sentry if downloaded

1. Use SCP or WinSCP to transfer the RPM package to your Sentry server2. Place it in a directory like /tmp

Step 4. Log in to Sentry CLI

1. SSH into the Sentry server as the admin user2. Switch to privileged EXEC mode with enable

Step 5. Install the RPM

1. Run install rpm url /tmp/sentry-security-update-<version>-3.noarch.rpm
2. Replace <version> with 9.16, 9.17 or 9.18 as per your Sentry version

Step 6. Restart Sentry services

1. Enter reload to restart services and apply the update2. The Sentry server will reboot

This will install the correct RPM package to address CVE-2023-38035 on your specific version of Ivanti Sentry. It is important to install the correct RPM version. Or else, there may be the chance of remaining unpatched to break down the appliance.

For Unsupported Versions

General Recommendations

Following these recommendations will ensure that your Ivanti Sentry servers are no longer vulnerable to CVE-2023-38035.

Bottom Line

CVE-2023-38035 represents a serious authentication bypass risk for organizations using vulnerable versions of Ivanti Sentry, especially if port 8443 is open to untrusted networks.

Ivanti has responded quickly by releasing RPM packages to address this vulnerability on supported platforms. So organizations using Sentry 9.16, 9.17 or 9.18 should prioritize upgrading and applying the appropriate hotfix.

For older unsupported versions, upgrading to a supported release is highly recommended. Alternatively, restricting network access to port 8443 can also prevent external exploitation until you can patch the flaw.

As part of a defense-in-depth strategy, it is also advisable to review the security posture of your entire UEM architecture, including Ivanti EPMM servers, and apply all relevant security updates.

We hope this post helps you know how to fix CVE-2023-38035, an API authentication bypass vulnerability on Ivanti Sentry admin instances. Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.