cbcvebase.
CVE-2023-38035
published 2023-08-21

CVE-2023-38035: A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-09-12
Exploited in the wild
EPSS
99.95%
100.0th percentile
A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.

Affected

3 ranges
VendorProductVersion rangeFixed in
ivantimobileiron_sentry<= 9.18.0
ivantimobileiron_sentry>= 9.18.0 and below < 9.18.0 and below9.18.0 and below
ivantisentry

Detection & IOCsextracted from sources · hover to see the quote

port8443
  • Monitor for authentication bypass attempts against the MICS Admin Portal (MICSLogService) on port 8443; the vulnerability stems from an insufficiently restrictive Apache HTTPD configuration allowing unauthenticated access to administrative API endpoints.
  • Successful exploitation can lead to unauthenticated remote code execution as root and configuration changes to the server and underlying OS; monitor for unexpected root-level process execution originating from the Sentry web service.
  • GreyNoise continues to observe active scan/exploit attempts targeting CVE-2023-38035; correlate inbound traffic to port 8443 on Ivanti Sentry appliances against GreyNoise tag 'IVANTI (MOBILEIRON) SENTRY AUTH BYPASS ATTEMPT'.
  • A public Metasploit module exists for CVE-2023-38035 (ivanti_sentry_misc_log_service.rb) targeting the MICSLogService endpoint; detection rules should account for exploitation tooling using this module.
  • A public PoC exploit was published by the Horizon3 Attack Team on August 23, 2023; treat any Ivanti Sentry 9.18.0 and below exposed on port 8443 as likely targeted.
  • ·The vulnerability is rooted in an insufficiently restrictive Apache HTTPD configuration on the MICS Admin Portal; organizations that do not expose port 8443 to the internet have a lower (but not zero) risk of exploitation.
  • ·At time of initial disclosure no patch was available; Ivanti provided RPM scripts as a workaround. Ensure the vendor-supplied RPM scripts have been applied to all affected Ivanti MobileIron Sentry 9.18.0 and below instances.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.