How to Fix CVE-2023-38035- API Authentication Bypass Vulnerability on Ivanti Sentry Administrator Interface?

Recently, a critical authentication bypass vulnerability was discovered in Ivanti Sentry by security researchers at mnemonic. This vulnerability tracked as CVE-2023-38035, could allow an unauthenticated threat actor to bypass authentication controls and make unauthorized changes to the Ivanti Sentry server configuration.

Ivanti Sentry, formerly known as MobileIron Sentry, acts as a gateway between mobile devices and backend resources like Microsoft Exchange or SharePoint servers. It works together with Ivanti Endpoint Manager Mobile (EPMM) platform to enforce security policies on managed devices.

On August 21, 2023, mnemonic disclosed the discovery of a high severity vulnerability in Ivanti Sentry that received a CVSS score of 9.8. If successfully exploited, this flaw could enable network-level attackers to bypass authentication and gain privileged remote access to the Sentry appliance.

In this blog, we will summarize everything about this zero-day vulnerability – its root cause, affected versions, potential impact, and most importantly, how to fix CVE-2023-38035, an API authentication bypass vulnerability on Ivanti Sentry admin instances.

A Short Note About Ivanti Sentry and Ivanti Endpoint Manager Mobile (EPMM) Platform

Ivanti Sentry is a key component of the Ivanti Unified Endpoint Management (UEM) solution. It functions as a policy enforcement point that ensures only authorized and compliant devices can access corporate resources like email, apps or data.

The Sentry server acts as a gateway that sits between managed mobile devices and backend systems like Microsoft Exchange. All traffic from mobile devices flows through Sentry, which blocks non-compliant devices and enforces security policies based on context.

For example, Sentry can restrict access to internal apps and emails when a device is off the corporate network. This helps prevent data leakage in case of device theft or loss.

Sentry works together with the Ivanti Endpoint Manager Mobile (EPMM) platform. EPMM is the administrative console used by IT teams to configure and manage their Sentry deployment.

It enables features like:

  • Automated policy push to Sentry
  • Centralized monitoring and reporting
  • Over-the-air profile updates
  • Secure email access controls
See also  What is a Clipboard Injector Malware? And, How Does Clipboard Injector Malware Targets Crypto Users?

EPMM integrates Sentry with other Ivanti solutions like the enterprise mobility management (EMM) and identity management (IdM) suites. Together, they provide a complete UEM platform for securing and managing endpoints.

Summary of CVE-2023-38035

The vulnerability stemmed from an improperly restricted Apache HTTP server running on port 8443 that exposed some sensitive APIs. These APIs are used by the System Manager Portal (MICS) to communicate and configure the Sentry server.

Due to a misconfiguration issue, the APIs could be accessed by an unauthenticated attacker on the network. Successful exploitation allows the attacker to remotely execute system commands as root and make unauthorized changes to the Sentry configuration.

 

While direct exploitation requires network access, CVE-2023-38035 can also be exploited after compromising Ivanti EPMM using other vulnerabilities like CVE-2023-35078 and CVE-2023-35081.

Ivanti Sentry Versions Affected by CVE-2023-38035

Ivanti has confirmed that the authentication bypasses vulnerability impacts:

  • All currently supported Sentry versions:
    • 9.18
    • 9.17
    • 9.16
  • Older unsupported Sentry versions and releases

This indicates the flaw has existed in the product for several version releases.

Supported versions are still installed widely as part of enterprise UEM deployments. Older unsupported versions may still be in use by organizations that have skipped upgrades.

Therefore, any organization using Ivanti Sentry should check their specific installed version and take appropriate steps to mitigate this vulnerability.

How to Fix CVE-2023-38035- API Authentication Bypass Vulnerability on Ivanti Sentry Administrator Interface?

Ivanti has released customized RPM packages for each supported Sentry version to address this vulnerability:

For Supported Versions

Install the appropriate RPM package:

Ivanti has provided the following RPM packages to fix the vulnerability in supported versions:

  • Sentry 9.18 – sentry-security-update-9.18.0-3.noarch.rpm
  • Sentry 9.17 – sentry-security-update-9.17.0-3.noarch.rpm
  • Sentry 9.16 – sentry-security-update-9.16.0-3.noarch.rpm

To install the correct RPM package on your version of Sentry:

  1. Use SSH to log in to the Sentry server CLI as the admin user
  2. Switch to privileged EXEC mode using the enable command
  3. Install the RPM with install rpm url https://support.mobileiron.com/ivanti-updates/[rpm_package_name]
  4. Run reload to restart Sentry and apply the update
See also  The Ultimate Guide to Harden the Ubuntu Server- Linux Server Hardening

Step-by-Step Procedure to Download and Install the RPM packages on Ivanti Sentry to Fix the CVE-2023-38035 vulnerability?

Follow these steps to download and install the correct RPM package for your version of Ivanti Sentry:

Time needed: 10 minutes

Step-by-Step Procedure to Download and Install the RPM packages on Ivanti Sentry to Fix the CVE-2023-38035 vulnerability?

  1. Identify your Sentry server version

    Log into the Sentry server CLI and run show version
    Note down the full version number, e.g. 9.18.0, 9.17.0, 9.16.0

  2. Download the RPM package

    Navigate to https://support.mobileiron.com/
    Download the RPM file for your Sentry version:
    1. Sentry 9.18 – https://support.mobileiron.com/ivanti-updates/sentry-security-update-9.18.0-3.noarch.rpm
    2. Sentry 9.17 – https://support.mobileiron.com/ivanti-updates/sentry-security-update-9.17.0-3.noarch.rpm
    3. Sentry 9.16 – https://support.mobileiron.com/ivanti-updates/sentry-security-update-9.16.0-3.noarch.rpm

    Or, directly run the below commands. This not just downloads the RPM packages but also install on the appliances.

    Note: This requires an internet connection to the domain support.mobileiron.com. Ensure you have whitelisted the domain in your network firewall or web proxy.

    1. 9.18: Type install rpm url https://support.mobileiron.com/ivanti-updates/sentry-security-update-9.18.0-3.noarch.rpm
    2. 9.17: Type install rpm url https://support.mobileiron.com/ivanti-updates/sentry-security-update-9.17.0-3.noarch.rpm
    3. 9.16: Type install rpm url https://support.mobileiron.com/ivanti-updates/sentry-security-update-9.16.0-3.noarch.rpm

    If you are done with the installation, you can skip the next two steps and move directly to step #6.

  3. Transfer the RPM to Sentry if downloaded

    1. Use SCP or WinSCP to transfer the RPM package to your Sentry server
    2. Place it in a directory like /tmp

  4. Log in to Sentry CLI

    1. SSH into the Sentry server as the admin user
    2. Switch to privileged EXEC mode with enable

  5. Install the RPM

    1. Run install rpm url /tmp/sentry-security-update-<version>-3.noarch.rpm
    2. Replace <version> with 9.16, 9.17 or 9.18 as per your Sentry version

  6. Restart Sentry services

    1. Enter reload to restart services and apply the update
    2. The Sentry server will reboot

  7. This will install the correct RPM package to address CVE-2023-38035 on your specific version of Ivanti Sentry. It is important to install the correct RPM version. Or else, there may be the chance of remaining unpatched to break down the appliance.

    For Unsupported Versions

    • Upgrade to a supported Sentry version, then install the appropriate RPM package
    • Alternatively, apply mitigations:
      • Restrict access to port 8443 from external sources
      • Allow access only via the internal management network
      • Block port 8443 on perimeter firewalls

    General Recommendations

    • Do not expose the Sentry management interface (port 8443) to the internet
    • Install the RPM package matching your specific Sentry version
    • Fully upgrade older unsupported versions to 9.16 or above

    Following these recommendations will ensure that your Ivanti Sentry servers are no longer vulnerable to CVE-2023-38035.

    Bottom Line

    CVE-2023-38035 represents a serious authentication bypass risk for organizations using vulnerable versions of Ivanti Sentry, especially if port 8443 is open to untrusted networks.

    Ivanti has responded quickly by releasing RPM packages to address this vulnerability on supported platforms. So organizations using Sentry 9.16, 9.17 or 9.18 should prioritize upgrading and applying the appropriate hotfix.

    For older unsupported versions, upgrading to a supported release is highly recommended. Alternatively, restricting network access to port 8443 can also prevent external exploitation until you can patch the flaw.

    As part of a defense-in-depth strategy, it is also advisable to review the security posture of your entire UEM architecture, including Ivanti EPMM servers, and apply all relevant security updates.

Leave a Reply

Your email address will not be published. Required fields are marked *