Zero-Day Can Be Exploited by Chaining It With Last Month’s Ivanti MobileIron Bugs
Mobile endpoint security vendor Ivanti disclosed a critical vulnerability that could allow an attacker to take complete control of an Ivanti Sentry gateway server, which stands between mobile devices and back-end infrastructure.
See Also: Live Webinar | Unmasking Pegasus: Understand the Threat & Strengthen Your Digital Defense
The vulnerability, tracked as CVE-2023-38035, has a severity score of 9.8 and can be chained with the zero-days in Ivanti’s Endpoint Manager Mobile platform that were disclosed earlier, for exploitation, said researchers at Mnemonic, who reported the bug.
Ivanti said it is aware of the bug being exploited in a limited number of customers but did not reveal further specifics.
Successful exploitation of CVE-2023-38035 allows an unauthenticated threat actor to read and write files to the Ivanti Sentry server and execute operating system commands as a system administrator using the “super user do,” the researchers say.
An attacker can bypass authentication controls on the administrative interface due to an insufficient restrictive Apache HTTPD configuration, Ivanti said in a separate security advisory.
The exploitation of the latest zero-day is only possible in some API endpoints in the MobileIron Configuration Service, the System Manager Portal that runs by default on port 8443. “If port 8443 is not exposed to the internet, a threat actor requires internal access,” the researchers said.
“The vulnerable System Manager Portal is used to communicate with the Ivanti EPMM server,” they said, which allows CVE-2023-38035 to be chained with the zero-day bugs disclosed earlier.
Ivanti on July 23 patched a critically rated zero-day vulnerability in its Endpoint Manager Mobile platform – formerly known as MobileIron Core – after an unidentified threat actor used it to attack a dozen Norway government ministries (see: Ivanti Zero-Day Used in Norway Government Breach).
The company later released a second emergency patch (see: Ivanti Says Second Zero-Day Used in Norway Government Breach).
Government security agencies in Australia and Germany recommended that users update their vulnerable Sentry products.