Software services provider Ivanti has issued a warning regarding an actively exploited critical zero-day flaw affecting Ivanti Sentry (formerly MobileIron Sentry). Tracked as CVE-2023-38035, this vulnerability enables unauthorized access to sensitive APIs used for configuring Ivanti Sentry through an authentication bypass.
The flaw affects versions 9.18 and earlier due to an insufficiently restrictive Apache HTTPD configuration. The severity of the vulnerability is highlighted by its CVSS score of 9.8, although there is a reduced risk of exploitation for users not exposing port 8443 to the internet.
The potential consequences of successful exploitation are significant, allowing attackers to alter configurations, execute system commands, and write files on the compromised system. The recommended countermeasure is to limit access to MICS (commonly MICS) to internal management networks.
While specifics of the exploitation are unknown, Ivanti has confirmed that only a limited number of customers have been affected so far. The discovery of this flaw is attributed to Norwegian cybersecurity company mnemonic.
Additionally, this zero-day vulnerability, designated CVE-2023-38035, could potentially be weaponized alongside two other recently disclosed flaws (CVE-2023-35078 and CVE-2023-35081) in Ivanti Endpoint Manager Mobile (EPMM). This could occur in cases where port 8443 is not publicly accessible, given that the admin portal connects with the Ivanti EPMM server.
Notably, this incident follows Ivanti’s resolution of stack-based buffer overflow vulnerabilities (CVE-2023-32560) in its Avalanche software, addressing the risks of system crashes and arbitrary code execution in vulnerable installations.