Table of Contents
On December 20, 2023, Ivanti has released security updates to fix 13 critical security vulnerabilities in the company's Avalanche enterprise mobile device management (MDM) solution. These vulnerabilities, if exploited, could lead to Remote Code Execution or Denial of Service. The updates also cover 8 medium- and high-severity bugs that attackers could exploit in denial of service, remote code execution, and server-side request forgery (SSRF) attacks.
It is strongly recommended updating as soon as possible.
Ivanti Releases Patches for 13 Critical Avalanche RCE Flaws
Technical Bulletin: Ivanti Releases Patches for 13 Critical Avalanche RCE Flaws
History:
21/12/2023 --- v1.0 -- Initial publication
Summary
On December 20, 2023, Ivanti has released security updates to fix 13 critical security vulnerabilities in the company's Avalanche enterprise mobile device management (MDM) solution. These vulnerabilities, if exploited, could lead to Remote Code Execution or Denial of Service [1,2]. The updates also cover 8 medium- and high-severity bugs that attackers could exploit in denial of service, remote code execution, and server-side request forgery (SSRF) attacks. It is strongly recommended updating as soon as possible.
Technical Details
The 13 critical security vulnerabilities, all with a CVSS score of 9.8, could be exploited by remote attackers sending specially crafted data packets to the Mobile Device Server to cause memory corruption (buffer overflow) which could result in a Denial of Service (DoS) or code execution. The vulnerabilities include: CVE-2023-41727, CVE-2023-46216, CVE-2023-46217, CVE-2023-46220, CVE-2023-46221, CVE-2023-46222, CVE-2023-46223, CVE-2023-46224, CVE-2023-46225, CVE-2023-46257, CVE-2023-46258, CVE-2023-46259, CVE-2023-46260, and CVE-2023-46261.
The vulnerability CVE-2023-46260, with a CVSS score of 7.5, is caused by a Null Pointer Dereference that, if exploited, could lead to a Denial of Service condition.
The vulnerability CVE-2023-46262, with a CVSS score of 7.5, could be exploited by an unauthenticated attacker sending a specifically crafted web request causing a Server-Side Request Forgery (SSRF) in Ivanti Avalanche Remote Control server.
The vulnerability CVE-2023-46266, with a CVSS score of 7.3, could be exploited by an attacker sending a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack.
The vulnerabilities CVE-2023-46263 and CVE-2023-46264, with a CVSS score of 7.2, could allow an attacker to upload of files with dangerous type in Avalanche and to achieve a remove code execution.
The vulnerabilities CVE-2023-46803 and CVE-2023-46804, with a CVSS score of 7.5, could be exploited by an attacker sending specially crafted data packets to the Mobile Device Server to cause a Denial of Service (DoS).
The vulnerability CVE-2023-46265, with a CVSS score of 6.5, could be exploited by an unauthenticated attacker to leak data or perform a Server-Side Request Forgery (SSRF) on the Smart Device Server.
Affected Products
These vulnerabilities affect at least Ivanti Avalanche versions 6.4.1 and 6.4.2. According to Ivanti, these vulnerabilities highly likely affect all Avalanche versions 6.X [2].
Recommendations
It is strongly recommended updating as soon as possible.
References
- Ivanti Releases Patches for 13 Critical Avalanche RCE Flaws
- Ivanti Announcement on Avalanche 6.4.2 Security Hardening and CVEs Addressed
```htmlMITRE ATT&CK Matrix Analysis
MITRE ATT&CK Matrix Analysis
Enterprise
| Tactic | Technique/Sub-Technique | Potential Attacker Groups | Mitigation |
|---|---|---|---|
| Initial Access | T1190 - Exploit Public-Facing Application | APT groups, Cybercriminals | Update to Ivanti Avalanche version 6.4.3 or later. |
| Execution | T1203 - Exploitation for Client Execution | APT groups, Cybercriminals | Apply the latest security patches. |
| Privilege Escalation | T1068 - Exploitation for Privilege Escalation | APT groups, Cybercriminals | Implement Principle of Least Privilege. |
| Defense Evasion | T1027 - Obfuscated Files or Information | APT groups, Cybercriminals | Enhanced monitoring of abnormal activities. |
| Credential Access | T1110 - Brute Force | APT groups, Cybercriminals | Enable lockout policies and MFA. |
| Discovery | T1083 - File and Directory Discovery T1046 - Network Service Scanning |
APT groups, Cybercriminals | Network segmentation and monitoring. |
| Lateral Movement | T1570 - Lateral Tool Transfer | APT groups, Cybercriminals | Restrict lateral movement within the network. |
| Collection | T1005 - Data from Local System | APT groups, Cybercriminals | Regularly back up and encrypt sensitive data. |
| Impact | T1489 - Service Stop T1499 - Endpoint Denial of Service |
APT groups, Cybercriminals | Implement redundancy, rate limiting, and patch management. |
Mobile
| Tactic | Technique/Sub-Technique | Potential Attacker Groups | Mitigation |
|---|---|---|---|
| Initial Access | M6: Exploit via Public-Facing Application | APT groups, Cybercriminals | Update MDM software and mobile applications. |
| Execution | M8: Client Execution | APT groups, Cybercriminals | Utilize app vetting and endpoint protection. |
| Security Policy | M10: Modify Device Security Policy | APT groups, Cybercriminals | Enforce and audit security policies on devices. |
| Network Effects | M3: Denial of Service | APT groups, Cybercriminals | Optimize network architecture for resilience. |
ICS
| Tactic | Technique/Sub-Technique | Potential Attacker Groups | Mitigation |
|---|---|---|---|
| Initial Access | T1190 - External Remote Services | APT groups, Cybercriminals | Ensure strong VPN authentication for remote services. |
| Persistence | T0867 - Modify System Image | APT groups, Cybercriminals | Conduct frequent integrity checks. |
| Inhibit Response Function | T0812 - Loss of View T0814 - Loss of Control |
APT groups, Cybercriminals | Redundancy in monitoring and control systems. |
References:
- [1] BleepingComputer
- [2] Ivanti Forums
```
This post was generated entirely by an AI language model. Source: CERT EU
