SB2023121904 - Multiple vulnerabilities in Ivanti Avalanche
Published: December 19, 2023 Updated: January 15, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 22 secuirty vulnerabilities.
1) Stack-based buffer overflow (CVE-ID: CVE-2023-41727)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within MuProperty type 100. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Stack-based buffer overflow (CVE-ID: CVE-2023-46216)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within MuProperty type 101. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Stack-based buffer overflow (CVE-ID: CVE-2023-46217)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within MuProperty type 102. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) Integer underflow (CVE-ID: CVE-2023-46804)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer underflow within the WLAvalancheService. A remote attacker can send specially crafted packets to the system, trigger an integer underflow and perform a denial of service (DoS) attack.
5) Stack-based buffer overflow (CVE-ID: CVE-2023-46220)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when handling packets within the WLAvalancheService in the Mobile Device Server. A remote unauthenticated attacker can send specially crafted packets to he system, trigger a stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
6) Stack-based buffer overflow (CVE-ID: CVE-2023-46221)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the WLAvalancheService. A remote unauthenticated attacker can send specially crafted packets to the system, trigger a stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
7) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2023-46262)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input within the validateAMCWSConnection method. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
8) XML External Entity injection (CVE-ID: CVE-2023-46265)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied XML input within the decode method in the Smart Device Server. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.
Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.
9) Improper Authentication (CVE-ID: CVE-2021-22962)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in when processing authentication requests within the allowPassThrough method. A remote attacker can send a specially crafted request, bypass authentication process and gain unauthorized access to the application.
10) Stack-based buffer overflow (CVE-ID: CVE-2023-46259)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the WLAvalancheService. A remote unauthenticated attacker can send specially crafted data packets to the Mobile Device Server, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
11) Arbitrary file upload (CVE-ID: CVE-2023-46263)
The vulnerability allows a remote user to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload within the FileStoreConfig app. A remote administrator can upload a malicious file and execute it on the server.
12) Stack-based buffer overflow (CVE-ID: CVE-2023-46225)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the WLAvalancheService. A remote unauthenticated attacker can send specially crafted data packets to the Mobile Device Server, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
13) Division by zero (CVE-ID: CVE-2023-46803)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the divide-by-zero issue within the WLAvalancheService. A remote attacker can send specially crafted data packets to the Mobile Device Server and perform a denial of service (DoS) attack.
14) Stack-based buffer overflow (CVE-ID: CVE-2023-46258)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the WLAvalancheService. A remote unauthenticated attacker can send specially crafted data packets to the Mobile Device Server, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
15) Stack-based buffer overflow (CVE-ID: CVE-2023-46257)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the WLAvalancheService. A remote unauthenticated attacker can send specially crafted data packets to the Mobile Device Server, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
16) Stack-based buffer overflow (CVE-ID: CVE-2023-46223)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the WLAvalancheService. A remote unauthenticated attacker can send specially crafted data packets to the Mobile Device Server, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
17) Stack-based buffer overflow (CVE-ID: CVE-2023-46222)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the WLAvalancheService. A remote unauthenticated attacker can send specially crafted data packets to the Mobile Device Server, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
18) Arbitrary file upload (CVE-ID: CVE-2023-46264)
The vulnerability allows a remote user to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload within the FileStoreConfig app. A remote administrator can upload a malicious file and execute it on the server.
19) Stack-based buffer overflow (CVE-ID: CVE-2023-46224)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the WLAvalancheService. A remote unauthenticated attacker can send specially crafted data packets to the Mobile Device Server, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
20) Improper Authentication (CVE-ID: CVE-2023-46266)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to improper handling of the requested URI and accompanying Content-Type HTTP request header within the SecureFilter class. A remote attacker can bypass authentication process and gain unauthorized access to the application.
21) Heap-based buffer overflow (CVE-ID: CVE-2023-46261)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the WLInfoRailService. A remote attacker can send specially crafted data packets to the Mobile Device Server, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
22) NULL pointer dereference (CVE-ID: CVE-2023-46260)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error within the WLAvalancheService. A remote attacker can send specially crafted data packets to the Mobile Device Server and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://www.tenable.com/security/research/tra-2023-42
- https://download.wavelink.com/Files/avalanche_v6.4.2_release_notes.txt
- https://www.zerodayinitiative.com/advisories/ZDI-24-071/
- https://forums.ivanti.com/s/article/Avalanche-6-4-2-Security-Hardening-and-CVEs-addressed?language=en_US
- https://www.zerodayinitiative.com/advisories/ZDI-24-066/
- https://www.zerodayinitiative.com/advisories/ZDI-24-068/
- https://www.zerodayinitiative.com/advisories/ZDI-24-053/
- https://www.zerodayinitiative.com/advisories/ZDI-24-054/
- https://www.zerodayinitiative.com/advisories/ZDI-24-058/
- https://www.zerodayinitiative.com/advisories/ZDI-24-061/
- https://www.zerodayinitiative.com/advisories/ZDI-24-056/
- https://www.zerodayinitiative.com/advisories/ZDI-24-063/
- https://www.zerodayinitiative.com/advisories/ZDI-24-067/
- https://www.zerodayinitiative.com/advisories/ZDI-24-065/
- https://www.zerodayinitiative.com/advisories/ZDI-24-064/
- https://www.zerodayinitiative.com/advisories/ZDI-24-070/
- https://www.zerodayinitiative.com/advisories/ZDI-24-069/
- https://www.zerodayinitiative.com/advisories/ZDI-24-055/
- https://www.zerodayinitiative.com/advisories/ZDI-24-062/
- https://www.zerodayinitiative.com/advisories/ZDI-24-057/
- https://www.zerodayinitiative.com/advisories/ZDI-24-059/
- https://www.zerodayinitiative.com/advisories/ZDI-24-060/