CVE-2023-38035
Published: 21 August 2023
Summary
CVE-2023-38035 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Ivanti Mobileiron Sentry. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2023-38035 is an authentication bypass vulnerability in the MICS Admin Portal component of Ivanti MobileIron Sentry versions 9.18.0 and earlier. The flaw stems from an insufficiently restrictive Apache HTTPD configuration that fails to enforce proper access controls, corresponding to CWE-863.
Unauthenticated attackers with network access can exploit the issue to bypass authentication on the administrative interface, potentially gaining full control over the Sentry instance. With a CVSS score of 9.8, the vulnerability allows remote attackers to achieve high-impact outcomes including confidentiality, integrity, and availability compromises without requiring credentials or user interaction.
Ivanti advisory information and CISA listings direct administrators to apply available patches or configuration updates for affected Sentry deployments. Public references also include proof-of-concept material demonstrating authentication bypass leading to remote code execution.
The vulnerability appears in CISA's known exploited vulnerabilities catalog, and its EPSS score has reached a peak of 0.9751 with a current value of 0.9442, indicating sustained exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-41862
Vulnerability details
A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.
- CWE(s)
- KEV Date Added
- 22 August 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and access-control policy on the admin portal, blocking the described bypass of Apache HTTPD restrictions.
Requires hardened, restrictive configuration settings for the Apache HTTPD component whose insufficient restrictions enable the authentication bypass.
Mandates identification and authentication of organizational users before any administrative interface access is granted, directly countering the unauthenticated bypass path.