Attacker Value
High
(1 user assessed)
Exploitability
Low
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Adjacent_network
1

CVE-2023-41724

Disclosure Date: March 31, 2024
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A command injection vulnerability in Ivanti Sentry prior to 9.19.0 allows unauthenticated threat actor to execute arbitrary commands on the underlying operating system of the appliance within the same physical or logical network.

Add Assessment

1
Ratings
Technical Analysis

Ivanti Standalone Sentry serves as a conduit, connecting devices with an organization’s ActiveSync-compatible email systems (like Microsoft Exchange Server) or other backend resources (such as Microsoft SharePoint server). It’s also capable of functioning as a Kerberos Key Distribution Center Proxy (KKDCP) server.

While specifics on the vulnerability remain undisclosed, Ivanti has stated that an unauthenticated attacker, if present on the same physical or logical network, could leverage CVE-2023-41724 to carry out unauthorized command execution on the operating system of the appliance.

The firm also highlighted that this security issue cannot be exploited over the internet by threat actors lacking a valid TLS client certificate obtained through EPMM.

This security flaw impacts all supported versions of Ivanti Standalone Sentry (versions 9.17.0, 9.18.0, and 9.19.0), in addition to older, no longer supported versions (below 9.17.0). Users of these older versions are encouraged to update to a supported release and apply the corresponding patch (versions 9.17.1, 9.18.1, or 9.19.1).

CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Adjacent_network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • ivanti

Products

  • standalone sentry

Additional Info

Technical Analysis