Ivanti issues fix for third zero-day flaw exploited in the wild

Ivanti disclosed another critical zero-day vulnerability that is being exploited in the wild, marking the third such case over the last month.

The flaw, tracked as CVE-2023-38035, affects Ivanti Sentry (formerly MobileIron Sentry) versions 9.18 and below and received a critical CVSS score of 9.8 out of 10. Ivanti Sentry, a component of the Unified Endpoint Management Solutions platform, is used to secure data between mobile devices and corporate systems. The software vendor credited cybersecurity company Mnemonic for reporting the vulnerability that was discovered in the MobileIron Configuration Service administrative portal, also known as port 8443.

In a security advisory, Ivanti warned exploitation could let an unauthenticated attacker access some sensitive APIs used to configure the Ivanti Sentry on port 8443. Customers are urged to upgrade to the fixed versions and apply the RPM scripts with a disclaimer that each script is customized for a single version.

Additional information was revealed in two other posts Monday, including a blog post that highlighted some positive news.

"While the issue has a high CVSS score, there is low risk of exploitation for customers who do not expose 8443 to the internet," Ivanti wrote in a blog post.

In a knowledge base (KB) article for CVE-2023-38035, Ivanti said taking port 8443 offline is also vital because "exploitation is only possible through the System Manager Portal."

The KB also addressed the attack scope and expanded on the API authentication bypass vulnerability. Ivanti revealed active exploitation has affected a "limited number of customers" so far. Based on analysis, Ivanti said it does not believe the flaw is part of a supply chain attack and said the vendor itself has not been compromised because of CVE-2023-38035.

However, remediation steps to address the vulnerability were not so simple. Ivanti warned customers that using the wrong RPM script for their version may prevent the flaw from being remediated or may cause system instability. One known issue Ivanti highlighted was customers receiving an error message that reads, "Unable to save the configuration" after entering reload command in Sentry 9.16 version.

"We recommend to type 'reload' command again to restart the services successfully. Please contact support if the issue happens repeatedly," Ivanti wrote in the KB.

It is unclear how many customers have been affected by the issue or its influence on the overall remediation process. Ivanti recommended ensuring that the firewall blocks external access to Sentry on port 8443 as a quick fix and to restrict port access to IT administrators only.

The KB also mentioned two other recent additional zero-day vulnerabilities, tracked as CVE-2023-35078 and CVE-2023-35081, that were discovered in Ivanti Endpoint Manager Mobile (EPMM). The most critical was CVE-2023-35078, an authentication bypass vulnerability that was disclosed in late July and rated a 10 out 10 CVSS score. Ivanti disclosed the vulnerabilities were chained by attackers to exploit Norwegian government's Departments' Security and Service and Organization late last month.

Although the three vulnerabilities were reported as actively exploited within one month of one other, Ivanti emphasized that CVE-2023-38035 affected Ivanti Sentry and not EPMM.

"Ivanti has been informed that CVE-2023-38035 was exploited after exploiting CVE-2023-35078 and CVE-2023-35081," the blog read.

On Tuesday, CVE-2023-38035 joined CVE-2023-35078 and CVE-2023-35081 on CISA's Known Exploited Vulnerabilities Catalog, which indicates enterprises should prioritize remediation.

Arielle Waldman is a Boston-based reporter covering enterprise security news.