DIVD-2023-00034 - API Authentication Bypass Vulnerability in Ivanti Sentry
| Our reference | DIVD-2023-00034 |
| Case lead | Max van der Horst |
| Researcher(s) | |
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Limit access to port 8443 and install the RPM scripts given in Ivanti's Security Advisory. |
| Patch status | Mitigated |
| Status | Closed |
| Last modified | 26 Sep 2023 09:39 CEST |
Summary
A vulnerability has been discovered in Ivanti Sentry, formerly MobileIron Sentry. The vulnerability impacts all supported versions up until version 9.18. If exploited, this vulnerability enables an unauthenticated attacker to access sensitive API endpoints that are used to configure Ivanti Sentry on the administrator portal. There are also proof-of-concepts available that leverage the exposed API endpoints that lead to remote code execution (RCE) on the server. The risk can be mitigated by limiting access to port 8443 and installing the provided RPM scripts in the Security Advisory. This vulnerability is actively being exploited and therefore mitigation should be done as soon as possible.
Recommendations
Limit access to port 8443 on the administrator portal (known as MICS, MobileIron Configuration Service) and install the Ivanti-provided RPM scripts to mitigate the problem.
What we are doing
DIVD is scanning for vulnerable systems. Owners of such systems will receive a notification with this casefile and remediation steps.
Timeline
| Date | Description |
|---|---|
| 22 Aug 2023 | DIVD starts scanning for this vulnerability. |
| 22 Aug 2023 | First version of this casefile. |
| 23 Aug 2023 | First round of notifications sent. |
| 02 Sep 2023 | Second round of notificaitons sent. |
| 03 Sep 2023 | DIVD monitors decrease of vulnerable hosts. |
| 26 Sep 2023 | Case closed. |