Ivanti Warns of New Actively Exploited MobileIron Zero-Day Bug

Cyber Security Threat Summary:
US based software company Ivanti has issued a warning to its customers about an ongoing exploitation of a critical Sentry API authentication bypass vulnerability. The vulnerability affects Ivanti Sentry, which serves as a gatekeeper for enterprise ActiveSync and Sharepoint servers, as well as a Kerberos Key Distribution Center Proxy server. The cybersecurity firm Mnemonic discovered the vulnerability (CVE-2023-38035), allowing unauthorized attackers to access sensitive admin portal configuration APIs through port 8443 used by Mobile Iron Configuration Service (MICS).

“This is possible after they bypass authentication controls by taking advantage of an insufficiently restrictive Apache HTTPD configuration. Successful exploitation allows them to change configuration, run system commands, or write files onto systems running Ivanti Sentry versions 9.18 and prior. Ivanti advised admins not to expose MICS to the Internet and restrict access to internal management networks. "As of now, we are only aware of a limited number of customers impacted by CVE-2023-38035. This vulnerability does not affect other Ivanti products or solutions, such as Ivanti EPMM, MobileIron Cloud or Ivanti Neurons for MDM," Ivanti said. "Upon learning of the vulnerability, we immediately mobilized resources to fix the problem and have RPM scripts available now for all supported versions. We recommend customers first upgrade to a supported version and then apply the RPM script specifically designed for their version," the company added. Ivanti provides detailed information on applying the Sentry security updates onto systems running supported versions in this knowledge base article.

Security Officer Comments:
State-sponsored hackers have been exploiting two security vulnerabilities in Ivanti’s Endpoint Manager Mobile since April. One vulnerability CVE-2023-35078 allowed an unauthenticated by pass, used as a zero-day breach in Norwegian governmental networks. This flaw could be combined with a directory traversal weakness (CVE-2023-35081), giving attackers with admin privileges the ability to deploy webshells. CISA and Norway’s NCSC-NO issued advisories regarding this, prompting U.S federal agencies to patch the flaws by mid-August. Ivanti also recently fixed stack-based buffer overflows (CVE-2023-32560) in its Avalanche software that could result in crashes and arbitrary code execution.

Suggested Correction(s):
Zero days can be tough to mitigate depending on what type of device or piece of software is susceptible. The time gap between the production, release, and deployment of a patch and vulnerability disclosure is the most critical aspect of zero vulnerabilities or anyone for that matter. An attacker can leverage a vulnerability from when it's known until systems are patched, which is why vulnerabilities must be responsibly disclosed to vendors. Unfortunately, until development teams release a patch or effective mitigation, there is not much companies can do to prevent attackers from leveraging unpatched systems, especially those exposed to the internet - aside from taking them offline entirely. A disconnect can significantly impact business functions which is why those who fill IT Leadership roles must communicate the possible implications, risks, and overall impact to business leaders so decisions can be made that favor all aspects of the business totality. Applying defense-in-depth strategies and zero-trust can significantly assist in preventing the exploitation of zero-days. Still, it may not contain a full-blown attack depending on the severity and type of exploit possible.