Horizon3.ai Publishes POC for Ivanti Sentry Authentication Bypass

Ivanti yesterday updated the alert “KB API Authentication Bypass on Sentry Administrator Interface” – an advisory for CVE-2023-38035. The vulnerability has been added to CISA KEV and comes on the heels of an in-the-wild-exploited vulnerability in Ivanti EPMM (CVE-2023-35078). 

Horizon3.ai has just published a Proof of Concept (POC) and deep dive into how this new vulnerability can be used to give an attacker the ability to remotely execute code as the root user.

Horizon3.ai Exploit Developer James Horseman noted: “There aren’t any definitive IoCs that we have found so far. However, any unrecognized HTTP requests to /services/* should be cause for concern. The endpoint that we exploited is likely not the only one that would allow an attacker to take control of the machine. Ivanti Sentry doesn’t offer a standard Unix shell, but if a known exploited system is being forensically analyzed, /var/log/tomcat2/contains access logs that can be used to check which endpoints were accessed. Lastly, there are logs in the web interface that might be of use to check for any suspicious activity.”

Ivanti Sentry (formerly MobileIron Sentry) notes in its August 23rd advisory that “CVE-2023-38035 enables an unauthenticated actor with access to the System Manager Portal (default hosted on port 8443) to make configuration changes to Sentry and underlying operating system. Successful exploitation can ultimately allow a malicious actor to execute OS commands on the appliance as root.” Exploitation is only possible though the System Manager Portal, hosted on port 8443 by default.

You can read the deep dive here.

Leave a Reply

%d bloggers like this: