Ivanti warns of new actively exploited MobileIron zero-day bug – Source: www.bleepingcomputer.com

US-based IT software company Ivanti warned customers today that a critical Sentry API authentication bypass vulnerability is being exploited in the wild.

Ivanti Sentry (formerly MobileIron Sentry) functions as a gatekeeper for enterprise ActiveSync servers like Microsoft Exchange Server or backend resources such as Sharepoint servers in MobileIron deployments, and it can also operate as a Kerberos Key Distribution Center Proxy (KKDCP) server.

Discovered and reported by researchers at cybersecurity company mnemonic, the critical vulnerability (CVE-2023-38035) enables unauthenticated attackers to gain access to sensitive admin portal configuration APIs exposed over port 8443, used by MobileIron Configuration Service (MICS).

This is possible after they bypass authentication controls by taking advantage of an insufficiently restrictive Apache HTTPD configuration.

Successful exploitation allows them to change configuration, run system commands, or write files onto systems running Ivanti Sentry versions 9.18 and prior.

Ivanti advised admins not to expose MICS to the Internet and restrict access to internal management networks.

“As of now, we are only aware of a limited number of customers impacted by CVE-2023-38035. This vulnerability does not affect other Ivanti products or solutions, such as Ivanti EPMM, MobileIron Cloud or Ivanti Neurons for MDM,” Ivanti said.

“Upon learning of the vulnerability, we immediately mobilized resources to fix the problem and have RPM scripts available now for all supported versions. We recommend customers first upgrade to a supported version and then apply the RPM script specifically designed for their version,” the company added.

Ivanti provides detailed information on applying the Sentry security updates onto systems running supported versions in this knowledgebase article.

​Other Ivanti bugs exploited in attacks since April

Since April, state-sponsored hackers have exploited two additional security vulnerabilities within Ivanti’s Endpoint Manager Mobile (EPMM), previously known as MobileIron Core.

One of them (tracked as CVE-2023-35078) is a significant authentication bypass that was abused as a zero-day to breach the networks of various governmental entities in Norway.

The vulnerability can also be chained with a directory traversal flaw (CVE-2023-35081), granting threat actors with administrative privileges the ability to deploy web shells onto compromised systems.

“Advanced persistent threat (APT) actors exploited CVE-2023-35078 as a zero day from at least April 2023 through July 2023 to gather information from several Norwegian organizations, as well as to gain access to and compromise a Norwegian government agency’s network,” CISA said in an advisory published in early August.

The CISA joint advisory with Norway’s National Cyber Security Centre (NCSC-NO) followed orders issued earlier this month asking U.S. federal agencies to patch the two actively exploited flaws by August 15 and August 21.

One week ago, Ivant also fixed two critical stack-based buffer overflows tracked as CVE-2023-32560 in its Avalanche software, an enterprise mobility management (EMM) solution, that could lead to crashes and arbitrary code execution following exploitation.