back to article Ivanti Sentry exploited in the wild, patches emitted

A critical authentication bypass bug in MobileIron Sentry has been exploited in the wild, its maker Ivanti said in an advisory on Monday. This vulnerability, tracked as CVE-2023-38035, is a 9.8-of-10 flaw in terms of CVSS severity, and strictly speaking lies within Ivanti Sentry, formerly known as MobileIron Sentry. This is a …

  1. Potemkine! Silver badge

    The company declined to answer The Register's specific questions about the security flaw, including how many customers were compromised.

    This is a bad policy. A company should be totally transparent when talking about cybersecurity incidents, or people will start to think it's hiding something.

  2. sitta_europea Silver badge

    "Each script is customized for a single version." The vendor also noted that applying the wrong script may prevent the issue from being fixed or cause "system instability.""

    So the script can't find out which version it's running on?

    That doesn't inspire confidence.

  3. Bebu Silver badge
    Windows

    An Embuggerance doesn't cut it here :)

    Fundamentally all the poor sods who paid their hard earned for this product might as well have not bothered and just left the front door wide open and hope any burglars would trip over their narcoleptic guard dog.

  4. t245t Silver badge
    Terminator

    Security device has security bug.

    The security device is only as secure as the underlying OS. What design decisions thought it a good idea to leave an administration port exposed to the Internet?

    1. that one in the corner Silver badge

      Re: Security device has security bug.

      > The security device is only as secure as the underlying OS.

      Sorry, are you trying to imply that the fact an admin port was open and exposed indicates that there is a security flaw in the OS itself?

      Whether or not port 8443 was open is a decision made by the Sentry program (or by its setup) not the OS.

      Exposing a port - any port - to the Internet is a matter of router/firewall configuration; that may not even be under the control of the same hardware, let alone indicate an issue with the OS (the article notes that port "may not be public facing", see quote below).

      > What design decisions thought it a good idea to leave an administration port exposed to the Internet?

      >> attackers must be able to reach administrative API port 8443 of a vulnerable Sentry deployment, which may not be public facing.

      >> there is a low risk of exploitation for customers who do not expose port 8443 to the internet

      Presumably, those who did leave this accessible via the Internet made the decision to do so in order that they could remotely admin their system? Something that people do seem to like to do (maybe to allow WFH?).

      As the article notes, the problem with doing that is down to an inadequate Apache config (wild guess - the admin functions are accessed by web pages).

      Hopefully, you are not trying to suggest that web servers should not be exposed to the Internet? Otherwise there are a lot of admin tasks that a lot of people do that will get a lot harder!

      1. Anonymous Coward
        Anonymous Coward

        Re: Security device has security bug.

        > Hopefully, you are not trying to suggest that web servers should not be exposed to the Internet? Otherwise there are a lot of admin tasks that a lot of people do that will get a lot harder!

        Without web servers on the Internet a lot more than admin tasks would be harder!

    2. Anonymous Coward
      Anonymous Coward

      Re: Security device has security bug.

      On my CenturyLink modem/router, the TR-069 administration port (4567) was world-accessible. I found this out by doing a port-scan from a free website (so fully external, not LAN/WAN or inside CenturyLink's network). No one at CenturyLink I managed to talk to had ever heard of this (thank you Tier -1 tech support), but I found several websites documenting it. As it was bonded DSL, there were only a couple models in existence that could cope with that type of connection, so buying my own was pretty much out of the question.

      One of these days someone will figure out how to get into these, and suddenly there will be a massive botnet made of them. I'm now on T-Mobile with a non-publicly-addressable modem.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like