SB20240417128 - Multiple vulnerabilities in Ivanti Avalanche
Published: April 17, 2024 Updated: April 24, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 27 secuirty vulnerabilities.
1) Path traversal (CVE-ID: CVE-2024-24994)
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request and read arbitrary files with SYSTEM privileges.
2) Path traversal (CVE-ID: CVE-2024-27984)
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request and read arbitrary files with SYSTEM privileges.
3) NULL pointer dereference (CVE-ID: CVE-2024-27978)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error within the WLAvalancheService component. A remote user can pass specially crafted data to the application and perform a denial of service (DoS) attack.
4) Path traversal (CVE-ID: CVE-2024-27977)
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request and read arbitrary files with SYSTEM privileges.
5) Path traversal (CVE-ID: CVE-2024-27976)
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request and read arbitrary files with SYSTEM privileges.
6) Path traversal (CVE-ID: CVE-2024-25000)
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request and read arbitrary files with SYSTEM privileges.
7) Path traversal (CVE-ID: CVE-2024-24999)
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request and read arbitrary files with SYSTEM privileges.
8) Path traversal (CVE-ID: CVE-2024-24998)
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request and read arbitrary files with SYSTEM privileges.
9) Path traversal (CVE-ID: CVE-2024-24997)
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request and read arbitrary files with SYSTEM privileges.
10) Heap-based buffer overflow (CVE-ID: CVE-2024-24996)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the WLInfoRailService component. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
11) Race condition (CVE-ID: CVE-2024-24995)
The vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to a race condition within the web component. A remote user can exploit the race and compromise the affected system.
12) Race condition (CVE-ID: CVE-2024-24993)
The vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to a race condition within the web component. A remote user can exploit the race and compromise the affected system.
13) Heap-based buffer overflow (CVE-ID: CVE-2024-22061)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the WLInfoRailService component. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
14) Path traversal (CVE-ID: CVE-2024-24992)
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request and read arbitrary files with SYSTEM privileges.
15) NULL pointer dereference (CVE-ID: CVE-2024-24991)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error within the WLAvalancheService component. A remote user can pass specially crafted data to the application and perform a denial of service (DoS) attack.
16) Path traversal (CVE-ID: CVE-2024-23535)
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request and read arbitrary files with SYSTEM privileges.
17) Arbitrary file upload (CVE-ID: CVE-2024-23534)
The vulnerability allows a remote user to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload within the web component. A remote user can upload a malicious file and execute it on the server.
18) Out-of-bounds read (CVE-ID: CVE-2024-23532)
The vulnerability allows a remote attacker to gain user to execute arbitrary code on the system.
The vulnerability exists due to a boundary condition within the WLAvalancheService component. A remote authenticated user can send specially crafted data to the system, trigger an out-of-bounds read error and execute arbitrary code.
19) Out-of-bounds read (CVE-ID: CVE-2024-23533)
The vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the WLAvalancheService component. A remote user can send specially crafted packets to the system, trigger an out-of-bounds read error and read contents of memory.
20) Integer overflow (CVE-ID: CVE-2024-23531)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflow within the WLInfoRailService component. A remote attacker can send specially crafted data to the system and perform a denial of service (DoS) attack.
21) Out-of-bounds read (CVE-ID: CVE-2024-23530)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the WLAvalancheService component. A remote attacker can send specially crafted packets to the system, trigger an out-of-bounds read error and read contents of memory.
22) Out-of-bounds read (CVE-ID: CVE-2024-23529)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the WLAvalancheService component. A remote attacker can send specially crafted packets to the system, trigger an out-of-bounds read error and read contents of memory.
23) Out-of-bounds read (CVE-ID: CVE-2024-23528)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the WLAvalancheService component. A remote attacker can send specially crafted packets to the system, trigger an out-of-bounds read error and read contents of memory.
24) Out-of-bounds read (CVE-ID: CVE-2024-23527)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the WLAvalancheService component. A remote attacker can send specially crafted packets to the system, trigger an out-of-bounds read error and read contents of memory.
25) Out-of-bounds read (CVE-ID: CVE-2024-23526)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the WLAvalancheService component. A remote attacker can send specially crafted packets to the system, trigger an out-of-bounds read error and read contents of memory.
26) Use-after-free (CVE-ID: CVE-2024-27975)
The vulnerability allows a remote user to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the WLAvalancheService component. A remote user can send specially crafted packets to the system and execute arbitrary code.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
27) Heap-based buffer overflow (CVE-ID: CVE-2024-29204)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error within the WLAvalancheService component. A remote user can send specially crafted data to port 1777/tcp, trigger a heap-based buffer overflow and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://forums.ivanti.com/s/article/Avalanche-6-4-3-Security-Hardening-and-CVEs-addressed?language=en_US
- https://www.zerodayinitiative.com/advisories/ZDI-24-384/
- https://www.zerodayinitiative.com/advisories/ZDI-24-395/
- https://www.zerodayinitiative.com/advisories/ZDI-24-394/
- https://www.zerodayinitiative.com/advisories/ZDI-24-393/
- https://www.zerodayinitiative.com/advisories/ZDI-24-392/
- https://www.zerodayinitiative.com/advisories/ZDI-24-390/
- https://www.zerodayinitiative.com/advisories/ZDI-24-389/
- https://www.zerodayinitiative.com/advisories/ZDI-24-388/
- https://www.zerodayinitiative.com/advisories/ZDI-24-387/
- https://www.zerodayinitiative.com/advisories/ZDI-24-386/
- https://www.zerodayinitiative.com/advisories/ZDI-24-385/
- https://www.zerodayinitiative.com/advisories/ZDI-24-383/
- https://www.zerodayinitiative.com/advisories/ZDI-24-370/
- https://www.zerodayinitiative.com/advisories/ZDI-24-382/
- https://www.zerodayinitiative.com/advisories/ZDI-24-381/
- https://www.zerodayinitiative.com/advisories/ZDI-24-380/
- https://www.zerodayinitiative.com/advisories/ZDI-24-379/
- https://www.zerodayinitiative.com/advisories/ZDI-24-378/
- https://www.zerodayinitiative.com/advisories/ZDI-24-377/
- https://www.zerodayinitiative.com/advisories/ZDI-24-376/
- https://www.zerodayinitiative.com/advisories/ZDI-24-375/
- https://www.zerodayinitiative.com/advisories/ZDI-24-374/
- https://www.zerodayinitiative.com/advisories/ZDI-24-373/
- https://www.zerodayinitiative.com/advisories/ZDI-24-372/
- https://www.zerodayinitiative.com/advisories/ZDI-24-371/
- https://www.zerodayinitiative.com/advisories/ZDI-24-391/
- https://www.tenable.com/security/research/tra-2024-10