Ivanti reports critical vulnerability in Sentry, actively exploited by attackers

Ivanti, a company that specializes in IT management and security software solutions has issued a warning about anothersecurity threat, this time in Ivanti Sentry, previously known as MobileIron Sentry. This is a fourth ctitical vulnerability reported by Ivanti and exploited in the wild in the last month - two in Ivanti EPMM, one in Ivanti Avalanche. 

The new vulnerability is tracked as CVE-2023-38035 (CVSS3 score 9.8)  and involves a newly discovered vulnerability in the Sentry API authentication. The vulnerability allows attackers to bypass authentication controls and gain unauthorized access to sensitive admin portal configuration APIs, which are exposed over port 8443. This port is utilized by the MobileIron Configuration Service (MICS), a component within MobileIron deployments responsible for managing enterprise ActiveSync servers like Microsoft Exchange Server and backend resources like Sharepoint servers.

Vulnerable versions of Ivanti Sentry are versions 9.18 and earlier.

The vulnerability is already actively exploited by attackers. The attackers exploit the vulnerability by taking advantage of an Apache HTTPD configuration that lacks sufficient restrictions. By exploiting this weakness, unauthenticated attackers can manipulate the configuration settings, execute system commands, and write files onto systems.

Ivanti recommends administrators to ensure that the MICS is not exposed to the public Internet and to restrict access solely to internal management networks.

Ivanti assures its customers that the newly discovered vulnerability only affects Ivanti Sentry and not its other products or solutions, such as Ivanti EPMM, MobileIron Cloud, or Ivanti Neurons for MDM. The company advises customers to upgrade to a supported version of Ivanti Sentry and then apply the relevant patch.