SB2023121810 - Multiple vulnerabilities in Ivanti Avalanche

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Incorrect default permissions (CVE-ID: CVE-2023-41726)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions within the product installer. A local user can escalate privileges and execute arbitrary code in the context of SYSTEM.

2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2022-43554)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to missing authentication within the configuration of Apache Derby, used by the Smart Device Service, which leads to security restrictions bypass and privilege escalation.

3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2022-43555)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to missing authentication within the configuration of Apache Derby, used by the Printer Device Service, which leads to security restrictions bypass and privilege escalation.

4) Arbitrary file upload (CVE-ID: CVE-2023-41725)

The vulnerability allows a local user to compromise vulnerable system.

The vulnerability exists due to insufficient validation of file during file upload within the saveConfig method. A local user can upload a malicious file and execute it on the server.

Remediation

Install update from vendor's website.

References

• https://download.wavelink.com/Files/avalanche_v6.4.1.236_release_notes.txt
• https://www.zerodayinitiative.com/advisories/ZDI-23-1799/
• https://www.zerodayinitiative.com/advisories/ZDI-23-1801/
• https://www.zerodayinitiative.com/advisories/ZDI-23-1802/
• https://www.zerodayinitiative.com/advisories/ZDI-23-1800/