Researchers released PoC exploit for Ivanti Sentry flaw CVE-2023-38035

Proof-of-concept exploit code for critical Ivanti Sentry authentication bypass flaw CVE-2023-38035 has been released.

Researchers released a proof-of-concept (PoC) exploit code for critical Ivanti Sentry authentication bypass vulnerability CVE-2023-38035 (CVSS score 9.8).

This week the software company Ivanti released urgent security patches to address the critical-severity vulnerability CVE-2023-38035 impacting the Ivanti Sentry (formerly MobileIron Sentry) product.

The vulnerability could be exploited to access sensitive API data and configurations, run system commands, or write files onto the system. The vulnerability CVE-2023-38035 impacts Sentry versions 9.18 and prior.

“If exploited, this vulnerability enables an unauthenticated actor to access some sensitive APIs that are used to configure the Ivanti Sentry on the administrator portal (port 8443, commonly MICS). While the issue has a high CVSS score, there is a low risk of exploitation for customers who do not expose port 8443 to the internet.” reads the advisory published by the company. Successful exploitation can be used to change configuration, run system commands, or write files onto the system. Ivanti recommends that customers restrict access to MICS to internal management networks and not expose this to the internet.”

The company is aware of a limited number of customers impacted by this vulnerability

The company pointed out that there is a low risk of exploitation for customers who do not expose port 8443 to the internet.

Ivanti recommends that customers restrict access to MICS to internal management networks and avoid exposing this to the internet.

Today, researchers at cybersecurity firm Horizon3 have published a technical analysis for this vulnerability and a proof-of-concept (PoC) exploit.

“A technical root cause analysis of the vulnerability can be found on our blog: https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive” states Horizon3. “This POC abuses an unauthenticated command injection to execute arbitrary commands as the root user.

The execution context does not allow for command piping, and the system does not ship with easily abusable binaries, so commands can be chained to download a static ncat from somewhere like https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/ncat.”

The researchers identified over 500+ instances exposed on the internet using Shodan.

The researchers explained that there aren’t any definitive IoCs that can be used to detect the exploitation attempts for this issue. However, any unrecognized HTTP requests to /services/* should be carefully analyzed.

“The endpoint that we exploited is likely not the only one that would allow an attacker to take control of the machine.” states the researchers.

“Ivanti Sentry doesn’t offer a standard Unix shell, but if a known exploited system is being forensically analyzed, /var/log/tomcat2/contains access logs that can be used to check which endpoints were accessed. Lastly, there are logs in the web interface that might be of use to check for any suspicious activity.”

This week, CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog, ordering federal agencies to address it by September 14.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ivanti Sentry)