Warning: Unauthenticated RCE In Ivanti Avalanche
CVE-2023-32560: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
Ivanti (vendor): https://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-32560
Risks
An unauthenticated remote attacker can trigger a Denial of Service (DoS) and/or execute arbitrary code remotely, possibly leading to a compromise of system/data integrity, confidentiality, and/or availability.
Description
Ivanti Avalanche, formerly known as Wavelink Avalanche, is an enterprise mobility management (EMM) solution. An unauthenticated attacker can send a specially crafted message to the Ivanti Avalanche Manager, which could result in service disruption or arbitrary code execution.
Avanti Avalanche v6.4.1 also contains patches for several other authentication bypass and/or RCE vulnerabilities.
Recommended Actions
The Centre for Cybersecurity Belgium strongly recommends system administrators to take the following actions in order to mitigate the impact of this vulnerability in the most efficient way.
Patch
Please upgrade to the vendor's recommended version (or higher) after thorough testing and keep an eye out for future security bulletins.
- Avalanche 6.4.1 and later releases
Monitor/detect
The CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise. When applying patches to systems that have been vulnerable to an RCE exploit, a proactive threat assessment should be performed to verify no exploitation occurred prior to patching.
References
Original researcher's report: https://www.tenable.com/security/research/tra-2023-27