More patches arrive from Ivanti

Ivanti has once again scrambled to plug a zero-day vulnerability which may have been exploited in the wild.

The latest bug, CVE-2023-38035, affects its Sentry software (formerly MobileIron Sentry), a mobile gateway that manages and encrypts traffic between mobile devices and backend enterprise systems.

The vulnerability carries a CVSS score of 9.8, making it a critical bug.

The company doesn’t say whether or not exploits have been seen, but in this forum post, said that “as of now, we are only aware of a limited number of customers impacted by CVE-2023-38035.”

“This vulnerability impacts all supported versions – Versions 9.18. 9.17 and 9.16. Older versions/releases are also at risk," Ivanti’s advisory states.

“This vulnerability does not affect other Ivanti products or solutions, such as Ivanti EPMM, MobileIron Cloud or Ivanti Neurons for MDM [mobile device management].”

“If exploited, this vulnerability enables an unauthenticated actor to access some sensitive APIs that are used to configure Ivanti Sentry on the administrator portal (commonly, MICS)."

The bug allows an attacker to bypass authentication controls on the administrative interface “due to an insufficiently restrictive Apache HTTPD configuration," Ivanti said.

“While the issue has a high CVSS score, there is low risk of exploitation for customers who do not expose 8443 to the internet,” the advisory stated.

The company has made fixes available by remote package manager (RPM) scripts.

August has been a busy month for Ivanti.

First, the company patched CVE-2023-35082, a follow-up to CVE-2023-35078, an API authentication bug in its endpoint manager that potentially exposed user information and configuration information.

Then, on August 17, iTnews reported the company had patched a number of buffer overflows in its Avalanche software.