A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands
The vulnerability results from a heap buffer overflow error (heap overflow, CWE-122) in the WLAvalancheService component. An attacker can send a specially crafted network request to the vulnerable service without any authentication. The heap buffer overflow allows overwriting critical data structures in the process memory, which ultimately enables taking control of its execution and running arbitrary code.
An unauthenticated remote attacker can execute arbitrary system commands on the server, which in practice means complete takeover of the vulnerable system, data disclosure, modification or destruction.
Ivanti Avalanche should be updated to version 6.4.3 or newer. Detailed information about available patches is available in the official security bulletin from the vendor: https://forums.ivanti.com/s/article/Avalanche-6-4-3-Security-Hardening-and-CVEs-addressed
Ivanti Avalanche in all versions before 6.4.3 (WLAvalancheService component)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HIvanti Avalanche
APPIvanti< 6.4.3.528
Related vulnerabilities
Buffer overflow w Ivanti Avalanche Manager umożliwiający RCE bez uwierzytelnienia
Path Traversal w Ivanti Avalanche — nieuprawnione usuwanie plików i DoS
Heap Overflow w Ivanti Avalanche umożliwiający RCE bez uwierzytelnienia
Heap overflow w Ivanti Avalanche umożliwia zdalne wykonanie kodu
Ivanti Avalanche — RCE/DoS przez korupcję pamięci w Mobile Device Server