Two significant security flaws, designated as CVE-2023-32560, have been unearthed in Ivanti Avalanche. This enterprise mobility management (EMM) solution is tasked with the management, monitoring, and security of diverse mobile devices.
The flaws have been classified as critical (CVSS v3: 9.8) and can be exploited remotely without requiring user authentication. This potentially enables malicious actors to execute arbitrary code on the targeted system.
Affected Versions and Exploitation of Ivanti Avalanche Vulnerabilities
The vulnerability specifically impacts versions earlier than 18.104.22.168 of WLAvalancheService[.]exe. This executable communicates through TCP port 1777.
The exploit involves malevolent actors sending specifically crafted data packets that include either hexadecimal strings (type 3) or a series of decimal strings separated by semicolons (type 9).
Regarding data type 3, the executable WLAvalancheService[.]exe employs a stack-based buffer of a fixed magnitude to house converted binary data sourced from a hex string. An unauthenticated remote attacker could prompt a buffer overflow by inputting an extensive hex string.
Similarly, in the case of data type 9, WLAvalancheService[.]exe adopts a fixed-size stack-based buffer to harbor user-provided data, which is subsequently converted to an integer through the use of atol().
Ivanti Avalanche Security Update: Patching Multiple Vulnerabilities
Avalanche version 6.4.1 not only rectifies CVE-2023-32560 but also tackles various other security vulnerabilities:
CVE-2023-32561 (Ivanti Avalanche dumpHeap Vulnerability with Incorrect Permission Assignment, leading to Authentication Bypass)
CVE-2023-32562 (Ivanti Avalanche FileStoreConfig Vulnerability allowing Arbitrary File Upload and Remote Code Execution)
CVE-2023-32563 (Ivanti Avalanche updateSkin Vulnerability involving Directory Traversal and Remote Code Execution)
CVE-2023-32564 (Ivanti Avalanche FileStoreConfig Vulnerability permitting Arbitrary File Upload and Remote Code Execution)
CVE-2023-32565 (Ivanti Avalanche SecureFilter Vulnerability for Content-Type, potentially leading to Authentication Bypass)
CVE-2023-32566 (Ivanti Avalanche SecureFilter Vulnerability allowing allowPassThrough, potentially leading to Authentication Bypass)
The Ongoing Threat Landscape Surrounding Ivanti
Furthermore, there has been a recent instance where malicious actors exploited a zero-day authentication bypass vulnerability (CVE-2023-35078) within Ivanti Endpoint Manager Mobile (EPMM). This loophole facilitated unauthorized entry into a platform extensively employed by numerous ministries within the Norwegian government.
This breach had the potential to compromise both sensitive and classified data. For a more comprehensive understanding of this vulnerability, please refer to our blog post available here.