Two unauthenticated stack buffer overflows found in Ivanti Avalanche EMM

Ivanti Avalanche EMM product is impacted by two buffer overflows collectively tracked as CVE-2023-32560.

Tenable researchers discovered two stack-based buffer overflows, collectively tracked as CVE-2023-32560 (CVSS v3: 9.8), impacting the Ivanti Avalanche enterprise mobility management (EMM) solution.

A remote, unauthenticated attacker can trigger the vulnerabilities to execute arbitrary code on vulnerable systems.

The flaw affects Ivanti Avalanche WLAvanacheServer.exe v6.4.0.0 and older.

An attacker can trigger the issue by sending a crafted message to WLAvalancheService.exe on TCP port 1777.

“When processing an item of data type 9, WLAvalancheService.exe uses a fixed-size stack-based buffer to store user-supplied data and then convert the data to an integer using atol(). An unauthenticated remote attacker can specify a long type 9 item to overflow the buffer.” reads the advsisory published by Tenable.

Below is the Disclosure Timeline:

4 April 2023 – Issue reported

12 April 2023 – Tenable requests confirmation that report was received

12 April 2023 – Ivanti confirms the issue is being reviewed

13 April 2023 – Ivanti requests proof of concept script

13 April 2023 – Tenable notes the poc must have been removed from initial report, sends PoC

19 April 2023 – Ivanti confirms the issue and indicates they are working on a fix

22 June 2023 – Ivanti notes that a fix may not be ready by the end of the 90 day window.

28 June 2023 – Tenable extends disclosure window

20 July 2023 – Ivanti informs Tenable a fix will be available on August 1st, and has assigned CVE-2023-32560

14 August 2023 – Initial advisory released
Tenable researchers also created a proof-of-concept and shared it with the vendor on April 13, 2023.

Ivanti addressed the flaw on August 3, 2023, with the release of Avalanche version 6.4.1.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ivanti)

The post Two unauthenticated stack buffer overflows found in Ivanti Avalanche EMM appeared first on Security Affairs.