Ivanti reports another critical vulnerability - this time in Ivanti Avalanche
Take action: Hackers have already exploited Ivanti products in the past few months. Given that Ivanti products are used by enterprise and government, they are a great entry point to high value targets. Start planning your patch ASAP. In the meantime, look whether you can block off the port 1777 from the internet to mitigate attackers sending malicious data packets to it.
Learn More
Ivanti Avalanche, an enterprise mobility management (EMM) solution used to manage mobile devices, is affected by two critical pre-auth stack buffer overflow vulnerabilities, tracked under the same CVE.
A stack-based buffer overflow pertains to a security issue where a program writes more data to a buffer's adjacent memory block than it can accommodate. This can lead to overwriting adjacent memory locations, potentially causing program crashes or enabling the execution of arbitrary code.
The vulnerbility is tracked as CVE-2023-32560 (CVSS3 score of 9.8). These vulnerabilities are remotely exploitable without user authentication and ould potentially permit attackers to execute arbitrary code on the targeted system.
These vulnerabilities are centered around the executable file WLAvalancheService.exe version 6.4.0.0 and earlier, which communicates via TCP port 1777. The weaknesses is exploited when specially crafted data packets containing hex strings (type 3) or a list of decimal strings separated by semicolons (type 9) are sent by an attacker. This triggers a buffer overflow due to the usage of a fixed-size stack-based buffer for storing converted data.
Security researchers from Tebable notified Ivanti about the issues on April 4, 2023 and shared a PoC exploit on April 13, 2023. To allow more time for the vendor to address these vulnerabilities, the disclosure window was extended.
Ivanti released Avalanche version 6.4.1 which includes security update to the vulnerability on August 3, 2023. This update addresses CVE-2023-32560 as well as several other vulnerabilities (CVE-2023-32561, CVE-2023-32562, CVE-2023-32563, CVE-2023-32564, CVE-2023-32565, and CVE-2023-32566)
Given that Ivanti software is employed in critical systems and environments, and their Ivanti Endpoint Manager Mobile (EPMM) has already been exploited in the attack on Norwegian government insitiutions it's safe to assume that threat actors will be very interested in exploiting this vulnerability.
