Software services provider Ivanti is warning of a new critical zero-day flaw impacting Ivanti Sentry (formerly MobileIron Sentry) that it said is being actively exploited in the wild, marking an escalation of its security woes.
Tracked as CVE-2023-38035 (CVSS score: 9.8), the issue has been described as a case of authentication bypass impacting versions 9.18 and prior due to what it called an due to an insufficiently restrictive Apache HTTPD configuration.
"If exploited, this vulnerability enables an unauthenticated actor to access some sensitive APIs that are used to configure the Ivanti Sentry on the administrator portal (port 8443, commonly MICS)," the company said.
"While the issue has a high CVSS score, there is a low risk of exploitation for customers who do not expose port 8443 to the internet."
Successful exploitation of the bug could allow an attacker to change configuration, run system commands, or write files onto the system. It's recommended that users restrict access to MICS to internal management networks.
While exact details surrounding the nature of exploitation are currently unknown, the company said it's "only aware of a limited number of customers" who have been affected.
Norwegian cybersecurity company mnemonic has been credited with discovering and reporting the flaw.
"Successful exploitation allows an unauthenticated threat actor to read and write files to the Ivanti Sentry server and execute OS commands as system administrator (root) through use of 'super user do' (sudo)," it said.
What's more, CVE-2023-38035 could be weaponized after exploiting CVE-2023-35078 and CVE-2023-35081, two other recently disclosed flaws in the Ivanti Endpoint Manager Mobile (EPMM), in scenarios where port 8443 is not publicly accessible as the admin portal is used to communicate with the Ivanti EPMM server.
The development comes a week after Ivanti fixed two critical stack-based buffer overflow flaws (CVE-2023-32560) in its Avalanche software that could lead to crashes and arbitrary code execution on vulnerable installations.
Update
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added CVE-2023-38035 to its its Known Exploited Vulnerabilities (KEV) catalog, alongside CVE-2023-27532, a critical bug in Veeam Backup & Replication software, following active in-the-wild exploitation.
Federal Civilian Executive Branch (FCEB) agencies are required to apply the patches by September 12, 2023, to secure their networks against possible cyber attacks.
PoC for the Flaw Now Available
Horizon3.ai has published a proof-of-concept (PoC) for CVE-2023-38035, making it imperative that enterprises prioritize applying the patch. The cybersecurity firm said it identified over 500 MobileIron Sentry instances that are exposed to the internet as of August 24, 2023, most of which are from Germany, the U.S., the U.K., China, and France.