Multiple vulnerabilities have been discovered in Ivanti Avalanche, the most severe of which could allow for remote code execution. Details of these vulnerabilities are as follows:
Tactic: Initial Access (TA0001):
Technique: Exploit Public-Facing Application (T1190):
- A Heap Overflow vulnerability in WLInfoRailService before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands. (CVE-2024-22061, CVE-2024-24996, CVE-2024-29204)
- An out-of-bounds Read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks. In certain conditions this could also lead to remote code execution. (CVE-2024-23532)
- An Unrestricted File-upload vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. (CVE-2024-23534)
- A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. (CVE-2024-23535, CVE-2024-24992, CVE-2024-24994, CVE-2024-24997, CVE-2024-24998, CVE-2024-24999, CVE-2024-25000, CVE-2024-27976)
- A Race Condition (TOCTOU) vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. (CVE-2024-24993, CVE-2024-24995)
- An Use-after-free vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. (CVE-2024-27975)
Details of lower severity vulnerabilities:
- An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory. (CVE-2024-23526, CVE-2024-23527, CVE-2024-23528, CVE-2024-23529, CVE-2024-23530, CVE-2024-23533)
- An Integer Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to perform denial of service attacks. In certain rare conditions this could also lead to reading content from memory. (CVE-2024-23531)
- A Null Pointer Dereference vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks. (CVE-2024-24991, CVE-2024-27978)
- A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to delete specific type of files and/or cause denial of service. (CVE-2024-27984)
Successful exploitation could allow for remote code execution in the context of the system. Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data.