Skip to content

2023-099: Critical Vulnerabilities in Ivanti Avalanche

Table of Contents

On December 20, 2023, Ivanti has released security updates to fix 13 critical security vulnerabilities in the company's Avalanche enterprise mobile device management (MDM) solution. These vulnerabilities, if exploited, could lead to Remote Code Execution or Denial of Service. The updates also cover 8 medium- and high-severity bugs that attackers could exploit in denial of service, remote code execution, and server-side request forgery (SSRF) attacks.
It is strongly recommended updating as soon as possible.


Ivanti Releases Patches for 13 Critical Avalanche RCE Flaws

Technical Bulletin: Ivanti Releases Patches for 13 Critical Avalanche RCE Flaws

History:

21/12/2023 --- v1.0 -- Initial publication

Summary

On December 20, 2023, Ivanti has released security updates to fix 13 critical security vulnerabilities in the company's Avalanche enterprise mobile device management (MDM) solution. These vulnerabilities, if exploited, could lead to Remote Code Execution or Denial of Service [1,2]. The updates also cover 8 medium- and high-severity bugs that attackers could exploit in denial of service, remote code execution, and server-side request forgery (SSRF) attacks. It is strongly recommended updating as soon as possible.

Technical Details

The 13 critical security vulnerabilities, all with a CVSS score of 9.8, could be exploited by remote attackers sending specially crafted data packets to the Mobile Device Server to cause memory corruption (buffer overflow) which could result in a Denial of Service (DoS) or code execution. The vulnerabilities include: CVE-2023-41727, CVE-2023-46216, CVE-2023-46217, CVE-2023-46220, CVE-2023-46221, CVE-2023-46222, CVE-2023-46223, CVE-2023-46224, CVE-2023-46225, CVE-2023-46257, CVE-2023-46258, CVE-2023-46259, CVE-2023-46260, and CVE-2023-46261.

The vulnerability CVE-2023-46260, with a CVSS score of 7.5, is caused by a Null Pointer Dereference that, if exploited, could lead to a Denial of Service condition.

The vulnerability CVE-2023-46262, with a CVSS score of 7.5, could be exploited by an unauthenticated attacker sending a specifically crafted web request causing a Server-Side Request Forgery (SSRF) in Ivanti Avalanche Remote Control server.

The vulnerability CVE-2023-46266, with a CVSS score of 7.3, could be exploited by an attacker sending a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack.

The vulnerabilities CVE-2023-46263 and CVE-2023-46264, with a CVSS score of 7.2, could allow an attacker to upload of files with dangerous type in Avalanche and to achieve a remove code execution.

The vulnerabilities CVE-2023-46803 and CVE-2023-46804, with a CVSS score of 7.5, could be exploited by an attacker sending specially crafted data packets to the Mobile Device Server to cause a Denial of Service (DoS).

The vulnerability CVE-2023-46265, with a CVSS score of 6.5, could be exploited by an unauthenticated attacker to leak data or perform a Server-Side Request Forgery (SSRF) on the Smart Device Server.

Affected Products

These vulnerabilities affect at least Ivanti Avalanche versions 6.4.1 and 6.4.2. According to Ivanti, these vulnerabilities highly likely affect all Avalanche versions 6.X [2].

Recommendations

It is strongly recommended updating as soon as possible.

References

  1. Ivanti Releases Patches for 13 Critical Avalanche RCE Flaws
  2. Ivanti Announcement on Avalanche 6.4.2 Security Hardening and CVEs Addressed

```htmlMITRE ATT&CK Matrix Analysis

MITRE ATT&CK Matrix Analysis

Enterprise

Tactic Technique/Sub-Technique Potential Attacker Groups Mitigation
Initial Access T1190 - Exploit Public-Facing Application APT groups, Cybercriminals Update to Ivanti Avalanche version 6.4.3 or later.
Execution T1203 - Exploitation for Client Execution APT groups, Cybercriminals Apply the latest security patches.
Privilege Escalation T1068 - Exploitation for Privilege Escalation APT groups, Cybercriminals Implement Principle of Least Privilege.
Defense Evasion T1027 - Obfuscated Files or Information APT groups, Cybercriminals Enhanced monitoring of abnormal activities.
Credential Access T1110 - Brute Force APT groups, Cybercriminals Enable lockout policies and MFA.
Discovery T1083 - File and Directory Discovery
T1046 - Network Service Scanning
APT groups, Cybercriminals Network segmentation and monitoring.
Lateral Movement T1570 - Lateral Tool Transfer APT groups, Cybercriminals Restrict lateral movement within the network.
Collection T1005 - Data from Local System APT groups, Cybercriminals Regularly back up and encrypt sensitive data.
Impact T1489 - Service Stop
T1499 - Endpoint Denial of Service
APT groups, Cybercriminals Implement redundancy, rate limiting, and patch management.

Mobile

Tactic Technique/Sub-Technique Potential Attacker Groups Mitigation
Initial Access M6: Exploit via Public-Facing Application APT groups, Cybercriminals Update MDM software and mobile applications.
Execution M8: Client Execution APT groups, Cybercriminals Utilize app vetting and endpoint protection.
Security Policy M10: Modify Device Security Policy APT groups, Cybercriminals Enforce and audit security policies on devices.
Network Effects M3: Denial of Service APT groups, Cybercriminals Optimize network architecture for resilience.

ICS

Tactic Technique/Sub-Technique Potential Attacker Groups Mitigation
Initial Access T1190 - External Remote Services APT groups, Cybercriminals Ensure strong VPN authentication for remote services.
Persistence T0867 - Modify System Image APT groups, Cybercriminals Conduct frequent integrity checks.
Inhibit Response Function T0812 - Loss of View
T0814 - Loss of Control
APT groups, Cybercriminals Redundancy in monitoring and control systems.

References:

  • [1] BleepingComputer
  • [2] Ivanti Forums

```


This post was generated entirely by an AI language model. Source: CERT EU

Latest