Global Impact (at time of dissemination)
• 270+ Sentry publicly-facing hosts worldwide
• 10% of these hosts with remote access capabilities
Top affected countries:
1. Germany
2. US
3. France
4. UK
5. China
Summary
Censys is aware that on March 18, 2024 Ivanti published CVE-2023-41724, a remote code execution (RCE) vulnerability in its Standalone Sentry product. This CVE was updated on March 25, 2024. According to Dark Reading, the vulnerability “allows an unauthenticated attacker to execute arbitrary code on the underlying operating system.”
Impact
Standalone Sentry, according to Ivanti, helps manage access to various organizational assets by interacting with backend enterprise resources. This level of privilege and access makes Sentry a valuable target in that it can provide opportunities for lateral movement within an organization. This concern is arguably lessened since “Threat actors without a valid TLS client certificate enrolled through EPMM / N-MDM cannot directly exploit this issue on the Internet,” (Ivanti).
However, publicly-exposed Standalone Sentry assets may serve as attractive targets for possible attackers.
Affected Assets
According to Ivanti, ”this vulnerability impacts all supported versions 9.17.0, 9.18.0, and 9.19.0. Older versions are also at risk.”
Censys’ Rapid Response Team was able to identify specific, affected versions of Sentry assets with the ASM Risk listed below. The Search and ASM queries find all Sentry assets that are publicly-facing and recently observed from our scans, regardless of version.
Note that “MobileIron” is the legacy name for this asset and was acquired by Ivanti; Censys uses this nomenclature in order to accurately and comprehensively identify affected assets.
Censys ASM Risk Name for Potentially Vulnerable Devices
“Vulnerable Ivanti Sentry [CVE-2023-41724]”
Censys ASM customers will see this risk applied to affected assets in their workspaces. Those that have signed up for Rapid Response Automated Risk Alerting will be contacted directly regarding affected assets.
Censys ASM Query for Exposed Assets.
This query is shared for customers who wish to refine or alter versioning for customized operations.
Censys Search Queries are shared directly with Censys customers. If you would like to obtain the Censys query to identify global instances related to this issue, or need help, please contact us.
Recommendations for remediation
from Ivanti state that owners of these assets should
– employ a patch that is “available now via the standard download portal for Ivanti Standalone Sentry Supported Release (9.17.1, 9.18.1 and 9.19.1)
If you need assistance in positively identifying these assets, please let us know.
