ClickySkip to main content
Need help with a cyber incident now?
Call 24/7: +31 88-2747800

Ivanti Sentry API Authentication Bypass

By 25 August 2023 CERT, SOC, Vulnerability

This live blog contains information regarding a vulnerability in Ivanti Sentry. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on August 25, 2023.

Update 25 August 2023

12:30 | Cyber security company Horizon3 has published a detailed write-up regarding CVE-2023-38035 including a Proof-of-Concept (POC) exploit. This POC exploit was obtained by reverse engineering a patch that has been made publicly available to fix the vulnerability. For a more technical and in-depth analysis see the post written by Horizon3 which can be found here:

There were no direct indicators of compromise mentioned in the blog. However, any unrecognized HTTP requests to /services/* should be cause for concern as stated by Horizon3. You can check for any suspicious activity by viewing the logs in the web-interface.

Alternatively, using forensic analysis, the access logs in /var/log/tomcat2/ can be used to check which endpoints were accessed on a known exploited system.

As a POC exploit is currently available, we advise to patch as soon as possible using the previously communicated instructions.

If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.

Update 22 August 2023

19:30 | On the 21st of august, Ivanti has released a security blog describing an API authentication bypass. The vulnerability is registered as CVE-2023-38035 and allows an unauthenticated attacker with access to the System Manager Portal to make configuration changes to Sentry and the underlying operating system. The Sentry System Manager Portal (commonly known as MICS, MobileIron Configuration Service) is hosted on port 8443 by default and it is recommended by Ivanti to not expose the portal to the internet.

Exploits of CVE-2023-38035 have been observed in the wild against a small number of customers. This vulnerability does not affect other Ivanti products or solutions, such as Ivanti EPMM (Endpoint Manager Mobile), MobileIron Cloud or Ivanti Neurons for MDM. Ivanti has released software updates. It is highly recommended to apply these security patches as soon as possible.

Reason and background of this blog

This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.

Vulnerability information

On the 21st of august, Ivanti has released a security blog describing an API authentication bypass. The vulnerability is registered as CVE-2023-38035 and allows an unauthenticated attacker with access to the System Manager Portal to make configuration changes to Sentry and the underlying operating system. The Sentry System Manager Portal (commonly known as MICS, MobileIron Configuration Service) is hosted on port 8443 by default and it is recommended by Ivanti to not expose the portal to the internet.

Exploits of CVE-2023-38035 have been observed in the wild against a small number of customers. This vulnerability does not affect other Ivanti products or solutions, such as Ivanti EPMM (Endpoint Manager Mobile), MobileIron Cloud or Ivanti Neurons for MDM. Ivanti has released software updates. It is highly recommended to apply these security patches as soon as possible.

Potential Risk

The vulnerability CVE-2023-38035 has a CVSS score of 9.8. The CVSS scale runs from 0 to 10.

A score of 9.8 or higher is rare and implies a high risk of exploitation with high impact.

The CVE-2023-38035 vulnerability in Ivanti Sentry allows an unauthenticated attacker with access to the Sentry System Manager Portal (MICS) to make configuration changes to Sentry and the underlying operating system. Successful exploitation can allow the attacker to execute OS commands on the appliance as root.

The Sentry System Manager Portal is hosted on port 8443 by default and it is recommended by Ivanti to not expose the portal to the internet.

Exploits of CVE-2023-35078 have been observed in the wild against a small number of customers. Ivanti recommends upgrading to a supported version and then apply the RPM scripts provided by Ivanti.

Detail info

Ivanti Sentry was formerly known as MobileIron Sentry. The following versions of Ivanti Sentry are vulnerable:

  • Versions – 9.18, 9.17, and 9.16
  • Older versions/releases

We advise to upgrade as soon as possible to one of the following supported versions and apply the RPM script:

  • Sentry 9.18
  • Sentry 9.17
  • Sentry 9.16

The RPM scripts provided by Ivanti can be found here:

If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.

Subscribe

Do you want to be informed in time? Sign up for our technical updates

Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.

Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.