Ivanti has fixed a critical RCE vulnerability (CVE-2023-41724) in Ivanti Standalone Sentry that has been reported by researchers with the NATO Cyber Security Centre.
Though the company is not aware of customers being compromised via the flaw, it “strongly encourages” them to implement the patch immediately.
About CVE-2023-41724
Ivanti Standalone Sentry is an appliance that acts as a gateway between devices and an organization’s ActiveSync-enabled email servers (e.g., Microsoft Exchange Server) or backend resource (e.g., Microsoft Sharepoint server). It can also be configured as Kerberos Key Distribution Center Proxy (KKDCP) server.
As per usual, details about the nature of the vulnerability have not been shared, but Ivanti explained that an unauthenticated threat actor within the same physical or logical network could exploit CVE-2023-41724 to execute arbitrary commands on the appliance’s operating system.
“Threat actors without a valid TLS client certificate enrolled through EPMM cannot directly exploit this issue on the Internet,” the company noted.
The vulnerability affects all supported version of Ivanti Standalone Sentry (9.17.0, 9.18.0, and 9.19.0) as well as older, unsupported ones (<9.17.0). Users of the latter are advised to upgrade to a supported version and deploy the patch (9.17.1, 9.18.1 or 9.19.1).
About CVE-2023-46808
Simultaneously, Ivanti has also announced available fixes for another critical vulnerability (CVE-2023-46808) that affects Ivanti Neurons for ITSM – an IT service management solution for help desks and technical support teams.
It’s a vulnerability that could allow an attacker to write files to sensitive directories and, consequently, allow them to execute commands in the context of the web application’s user. But to be able to do it, the attacker must first be authenticated by the system.
CVE-2023-46808 has also been privately reported to Ivanti via its responsible disclosure program and the company says they are “not aware of any customers being exploited by this vulnerability at the time of disclosure.”
Still, organizations should upgrade their on-premise installations to a version containing the fix – v2023.3, 2023.2 or 2023.1 – as soon as possible.
Ivanti has already applied the patch to all Ivanti Neurons for ITSM Cloud landscapes, the company noted.
Given the recent attacks involving the exploitation of 0-day and 1-day vulnerabilities in Ivanti Connect Secure VPN, Ivanti EPMM and MobileIron Core, Ivanti’s advice for quick action is understandable.
CVE-2023-41724 and CVE-2023-46808 have been reported last year and that’s why the have a CVE number that starts with “2023”, the company explained. “It is Ivanti’s policy that when a CVE is not under active exploitation that we disclose the vulnerability when a fix is available, so that customers have the tools they need to protect their environment.”