Ivanti Warns of Critical New Zero-Day Bug

Written by

Security vendor Ivanti has urged customers to urgently remediate a newly discovered zero-day vulnerability in its Ivanti Sentry product.

Formerly known as MobileIron Sentry, Ivanti Sentry is a secure mobile gateway designed to manage, encrypt and secure traffic traveling between employee devices and back-end corporate systems.

A new advisory published by the vendor yesterday revealed that the CVSS 9.8-rated bug (CVE-2023-38035) affects versions 9.18 and earlier of the product.

“If exploited, this vulnerability enables an unauthenticated actor to access some sensitive APIs that are used to configure the Ivanti Sentry on the administrator portal (port 8443, commonly MICS). While the issue has a high CVSS score, there is a low risk of exploitation for customers who do not expose port 8443 to the internet,” it claimed.

“Successful exploitation can be used to change configuration, run system commands, or write files onto the system. Ivanti recommends that customers restrict access to MICS to internal management networks and not expose this to the internet.”

Read more on Ivanti vulnerabilities: Ivanti Patches Zero-Day Bug Used in Norway Attacks

Ivanti said it was only aware of a “limited number” of customers being impacted by CVE-2023-38035.

The firm urged customers to first upgrade to a supported version of the product and then apply the RPM script specifically designed for their version. It warned that if the wrong script is applied it “may prevent the vulnerability from being remediated or cause system instability.”

This is just the latest in a slew of advisories Ivanti has published over recent weeks, beginning with the zero-day (CVE-2023-35078) that was exploited by nation state actors to compromise the Norwegian government.

CVE-2023-35081 and CVE-2023-35082 soon followed, with researchers warning that the two could be chained in attacks. They also claimed CVE-2023-35081 could be chained with CVE-2023-35078. All three were discovered in products formerly belonging to MobileIron.

Last week, Ivanti was also forced to patch CVE-2023-32560 – two stack-based buffer overflow bugs found in its Avalanche product.

What’s hot on Infosecurity Magazine?