Proof-of-concept exploit code is now available for a critical Ivanti Sentry authentication bypass vulnerability that enables attackers to execute code remotely as root on vulnerable systems.
Discovered by cybersecurity company mnemonic, the flaw (CVE-2023-38035) allows threat actors to access sensitive Sentry administrator interface APIs by exploiting an insufficiently restrictive Apache HTTPD configuration.
Successful exploitation can let them run system commands or write files onto systems running Ivanti Sentry versions 9.18 and prior.
Today, security researchers at attack surface assessment company Horizon3 have published a technical root cause analysis for this high-severity vulnerability and a proof-of-concept (PoC) exploit.
“This POC abuses an unauthenticated command injection to execute arbitrary commands as the root user,” Horizon3 vulnerability researcher James Horseman said.
“We recommend that any affected users of this product patch and verify that it is not exposed externally to the internet if possible.”
Used in attacks as a zero-day
Ivanti provides detailed info on applying the Sentry security updates in this knowledgebase article. The company also confirmed that some of its customers were impacted by CVE-2023-38035 attacks and advised admins to restrict access to the internal network.
However, according to a Shodan search, more than 500 Ivanti Sentry instances are currently exposed online.
Starting in April, state-affiliated hackers have abused two other security vulnerabilities in Ivanti’s Endpoint Manager Mobile (EPMM), previously recognized as MobileIron Core.
A week ago, Ivant patched another pair of critical stack-based buffer overflows collectively tracked as CVE-2023-32560 within its Avalanche enterprise mobility management (EMM) solution, which could lead to system crashes and arbitrary execution of code upon successful attacks.