It seems the software company Ivanti is not catching a break anytime soon, as a new zero day actively exploited has been discovered in Ivanti Sentry Gateway.
Previously the IT software company disclosed an issue which targeted the Nordmann government , and mitigated the issue with a new application update, immediately.
However, on Monday (21st August 2023) the company published a security advisory of a new zero-day attack discovered. The National Vulnerability Database created a CVE record CVE-2023-38035, and although the base score, and attack vectors are yet to be ascertained by the CVE organization, Ivanti has gone ahead to disclose records with regards to the exploit.
Ivanti disclosed that the vulnerability is associated with OWASP TOP 10 API2:2023 on Sentry administrator interface.
In a snippet of article written by Ivanti:
“API authentication bypass on sentry administrator interface, is a vulnerability that has been discovered in Ivanti Sentry, formerly known as MobileIron Sentry. This vulnerability impacts versions 9.18 and prior. The vulnerability does not impact other Ivanti products, such as Ivanti EPMM or Ivanti Neurons for MDM.”
In the vulnerability description, a successful exploit could allow unauthenticated threat actors to access sensitive API configurations of an Administrator, on the Ivanti Sentry portal running on port 8443 commonly known as MICS.
The severity score according to Ivanti, is said to be considered high and a CVSS base score of 9.8. However, customers who do not expose the port 8443, to the internet have a low risk of being exploited.
In the Description Ivanti said:
“A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.”
The attack vector of CVSS 3.1 ratings, outlined by Ivanti includes the following:
- Attack Vector (AV): None
- Attack Complexity (AC): Low
- Privilege Required (PR): None
- User Interaction (UI): None
- Scope (S): Unchanged.
- Confidentiality (C): High
- Integrity (I): High
- Availability (A): High
Describes by the acronym CVSS:3.1 / AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, although these ratings are disclosed on Ivanti’s forum, they have not been officially made public by The National Vulnerability Database created a CVE record CVE-2023-38035.
Remediation of the zero-day by Ivanti:
Ivanti disclosed that the remediation of the zero-day was carried out immediately, upon learning about the attack. The company stated:
“Upon learning of the vulnerability, we immediately mobilized resources to fix the problem and have RPM scripts available now for supported versions. Each scripts is customized for a single version.”
The company further gave a caveat:
“If the wrong RPM script is applied, it may prevent the vulnerability from being remediated or cause system instability.”
The company additionally advised its customers to read the Knowledge Base Article for more details about the access, and application of the remediations. In a final vote of thanks, the company credited mnemonic in their assistance in discovery of the vulnerability.
Please do let us know in the comment section what are your thoughts about this.