Ivanti Sentri Authentication Bypass (CVE-2023-38035)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(180172);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/28");

  script_cve_id("CVE-2023-38035");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2023/09/12");
  script_xref(name:"CEA-ID", value:"CEA-2023-0040");

  script_name(english:"Ivanti Sentri Authentication Bypass (CVE-2023-38035)");

  script_set_attribute(attribute:"synopsis", value:
"Ivanti Sentry, running on the remote host is affected by a authentication bypass vulnerability.");
  script_set_attribute(attribute:"description", value:
"A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an
attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache
HTTPD configuration.

Note that Nessus has not tested for these issues but has instead relied only on the service's self-reported version
number.");
  # https://forums.ivanti.com/s/article/KB-API-Authentication-Bypass-on-Sentry-Administrator-Interface-CVE-2023-38035
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f6bf8d40");
  script_set_attribute(attribute:"solution", value:
"Update to Ivanti Sentry version 9.16.0a, 9.17.0a, 9.18.0a or later");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-38035");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Ivanti Sentry MICSLogService Auth Bypass resulting in RCE (CVE-2023-38035)');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/08/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/08/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/08/24");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ivanti:sentry");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ivanti_sentry_detect.nbin");
  script_require_keys("installed_sw/Ivanti Sentry");

  exit(0);
}

include('vcf.inc');

var app_info = vcf::get_app_info(app:'Ivanti Sentry');

if (!empty_or_null(app_info['mi-mics package version']))
  app_info.parsed_version = vcf::parse_version(app_info['mi-mics package version']);
else
  app_info.parsed_version = vcf::parse_version(app_info.version);

var constraints = [
  # Advisory states "older versions are also at risk"
  { 'min_version':'0.0', 'fixed_version':'9.16.0a' },
  { 'min_version':'9.17.0', 'fixed_version':'9.17.0a' },
  { 'min_version':'9.18.0', 'fixed_version':'9.18.0a' }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);