Ivanti Sentry (previously known as MobileIron Sentry) is an in-line gateway that manages, encrypts, and secures traffic between mobile devices and back-end enterprise systems. It is primarily utilized in Microsoft Exchange, ActiveSync and SharePoint servers. Ivanti disclosed a CVE-2023-38035 zero-day vulnerability that may enable an attacker with no rights to bypass authentication controls on the administrative interface and gain access to secure admin servers. 

Ivanti Sentry’s MICS Admin Portal operates as shown in the image below. This portal can be accessed through TCP port 8443 and utilizes the Apache HTTPD configuration. Although the National Institute of Standards and Technology (NIST) claims to still “be analyzing and therefore unable to disclose information” related to the CVE-2023-38035 zero-day, at the time of writing this post, a CVSSv3 score of 9.8 has been made public. 

Login screen of Ivanti Sentry MICS Admin Portal accessible through TCP port 8443
Login screen of Ivanti Sentry MICS Admin Portal accessible through TCP port 8443

Ivanti has released a vulnerability patch for this issue that utilizes an RPM script to address vulnerabilities in each Sentry version. Ivanti highly recommends upgrading to a supported product version before applying the RPM script. Different scripts exist for various versions. For versions below 9.15, it is recommended to upgrade to a version higher than 9.16 before applying the new RPM scripts.

The version number “9.17.0” is displayed in the upper right corner of the login screen, indicating the current version of the system administration portal.

Affected Ivanti Sentry Version(s)Solution (using RPM Script)
9.18Install 9.18.0-3
9.17Install 9.17.0-3
9.16Install 9.16.0-3
9.15 and lowerUpgrade to 9.16 and above and apply the relevant RPM script

By searching for the title: “MobileIron System Manager” on Criminal IP Asset Search, users gain insight into the fact that more than 100 servers are currently exposed and potentially vulnerable.

title:”MobileIron System Manager”

* The title filter used in this query allows users to search for IP addresses that contain specific keywords and title tags.

Criminal IP Asset Search results with title: "MobileIron System Manager"
Criminal IP Asset Search results with title: “MobileIron System Manager”

To swiftly address the CVE-2023-38035 zero-day issue, apply the vulnerability patch promptly. If applying patches proves difficult, urgently block all ports connected to TCP port 8443 as a last resort.

Check out our article on detecting Microsoft Exchange zero-day vulnerabilities with the security OSINT tool.

This report is based on data from Criminal IP, a Cyberthreat Intelligence search engine.

Create a free Criminal IP account today to access the search results cited in the report and search for more extensive threat intelligence.

Source: Criminal IP (https://www.criminalip.io/en)

Related Article(s): https://blog.criminalip.io/2022/10/14/ms-exchange-zero-day-vulnerability/