Three days after Ivanti warned customers about a new actively exploited vulnerability in its Sentry appliances, researchers have released a working proof-of-concept exploit for the bug.
The vulnerability (CVE-2023-38035) is an authentication bypass bug in all supported versions of the Ivanti Sentry appliance, which is an in-line mobile traffic management system. Ivanti released an advisory about the bug on Monday, and warned that it was aware of some limited exploitation of it.
“CVE-2023-38035 enables an unauthenticated actor with access to the System Manager Portal (default hosted on port 8443) to make configuration changes to Sentry and underlying operating system. Successful exploitation can ultimately allow a malicious actor to execute OS commands on the appliance as root,” the advisory says.
“Ivanti has been informed of the exploitation of a very limited number of customers.”
On Thursday, offensive security researchers at Horizon3 released a detailed analysis of the vulnerability, along with information about the exploitation path. The team also published a PoC exploit for the vulnerability. Unfortunately, the researchers didn’t find any specific indicators of compromise from the vulnerability.
“There aren’t any definitive IoCs that we have found so far. However, any unrecognized HTTP requests to /services/* should be cause for concern. The endpoint that we exploited is likely not the only one that would allow an attacker to take control of the machine,” James Horseman of Horizon3 said in a post.
“Ivanti Sentry doesn’t offer a standard Unix shell, but if a known exploited system is being forensically analyzed, /var/log/tomcat2/contains access logs that can be used to check which endpoints were accessed. Lastly, there are logs in the web interface that might be of use to check for any suspicious activity.”
Enterprises that have not updated their Ivanti Sentry appliances yet should prioritize the patch, as there has been active exploitation, and now with a working PoC available, the risk has increased.