Security news that informs and inspires

Ivanti Patches Critical RCE Standalone Sentry Flaw

By

Ivanti has disclosed a critical remote code execution flaw in several versions of Standalone Sentry. The software company is urging customers to apply patches for the flaw immediately.

Ivanti Standalone Sentry (formerly known as MobileIron Sentry) is the standalone version of Ivanti’s software component that manages and secures traffic between devices and back-end enterprise systems. The flaw (CVE-2023-41724) is ranked in severity as 9.6 out of 10 on the CVSS scale, and if exploited it can enable an unauthenticated attacker to execute arbitrary commands on the underlying operating system of the impacted appliance (within the same physical or logical network).

“There is a patch available now via the standard download portal,” said Ivanti in its advisory this week. “We strongly encourage customers to act immediately to ensure they are fully protected.”

The flaw impacts versions 9.17.0, 9.18.0 and 9.19.0 of Standalone Sentry. Older versions are also at risk, Ivanti said. At the time of disclosure, Ivanti said it is not currently aware of the flaw being exploited.

Ivanti noted that threat actors that don’t have a valid TLS client certificate enrolled through Ivanti Endpoint Manager Mobile (EPMM) can’t directly exploit the issue on the Internet.

In its advisory, Ivanti thanked Vincent Hutsebaut, Pierre Vivegnis, Jerome Nokin, Roberto Suggi Liverani and Antonin B. of the North Atlantic Treaty Organization (NATO) Cyber Security Centre “for their collaboration on this issue.” The NATO Cyber Security Centre is described as NATO’s first line of cyber defense and is responsible for tasks related to security, incident response and information assurance.

“We reserved the CVE number for this vulnerability when our internal team identified the vulnerability at the end of 2023, and worked to develop a fix for customers, which is now available,” said Ivanti in a knowledge base article on the flaw. “It is Ivanti’s policy that when a CVE is not under active exploitation that we disclose the vulnerability when a fix is available, so that customers have the tools they need to protect their environment.”

Ivanti’s Sentry software has been previously targeted by attackers: Last year, Ivanti warned that a bug in the product (CVE-2023-38035) was enabling unauthenticated attackers to bypass authentication controls on the administrative interface, allowing them to change configurations, write files onto the system and execute OS commands on the appliance as root.

This newest critical flaw also comes a little over a month after Ivanti grappled with fallout from several actively exploited vulnerabilities in its Ivanti Connect Secure VPN and Ivanti Policy Secure appliances. Security researchers previously found zero-day exploitation of the flaws in the wild starting Dec. 3, by a China-nexus espionage threat actor tracked as UNC5221.