CVE-2023-32560
published 2023-08-10CVE-2023-32560: An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code execution…
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
98.92%
99.9th percentile
An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code execution.
Thanks to a Researcher at Tenable for finding and reporting.
Fixed in version 6.4.1.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | avalanche | < 6.4.1 | 6.4.1 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
jmp esp @ 0x00412b81
bytes↗
stack pivot: add esp, 0x00000FA0 ; retn 0x0004 @ 0x0052d484
- →Monitor TCP port 1777 for specially crafted messages sent to the Wavelink Avalanche Manager; oversized item data payloads (e.g. 0x800 bytes) in item types 3/5/8/100/101/102 are indicative of exploitation attempts. ↗
- →Detect exploitation by looking for the Avalanche Manager process spawning child processes (e.g. cmd.exe) running as NT AUTHORITY\SYSTEM, which indicates successful RCE via the buffer overflow. ↗
- →The exploit message structure uses a Preamble (4x uint32 big-endian: msg_size, hdr_size, payload_size, unk=0) followed by padded header/payload items. Network signatures should look for this big-endian framing on port 1777 with anomalously large item data fields. ↗
- ·The JMP ESP (0x00412b81) and stack pivot (0x0052d484) gadget addresses in the public PoC are specific to Ivanti Avalanche MDM v6.4.0.0 on Windows 10; these addresses will differ on other versions or OS configurations, so byte-signature detections based on these values may miss variants targeting other builds. ↗
- ·The vulnerability is fixed in version 6.4.1; systems already patched to 6.4.1 or later (including 6.4.3) are not vulnerable, so detections should be scoped to unpatched instances. ↗
- ·Exploitation requires no user authentication and is low-complexity, meaning any network-accessible Avalanche Manager on port 1777 is at risk without additional access controls. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.8HIGHCVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ivanti
Ivanti Security Advisory: CVE-2023-32560
vendor_ivanti·2023-08-10·CVSS 9.8
CVE-2023-32560 [CRITICAL] CWE-20 Ivanti Security Advisory: CVE-2023-32560
Ivanti Security Advisory: CVE-2023-32560
An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code execution.
Thanks to a Researcher at Tenable for finding and reporting.
Fixed in version 6.4.1.
CVE IDs: CVE-2023-32560
CVSS Base Score: 9.8
Severity: CRITICAL
CWEs: CWE-20, CWE-787
GHSA
GHSA-m39h-xjmq-4vgf: An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code executi
ghsa_unreviewed·2023-08-10
CVE-2023-32560 [HIGH] CWE-20 GHSA-m39h-xjmq-4vgf: An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code executi
An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code execution.
Thanks to a Researcher at Tenable for finding and reporting.
Fixed in version 6.4.1.
No detection rules found.
Exploit-DB
Ivanti Avalanche <v6.4.0.0 - Remote Code Execution
exploitdb·2023-09-04·CVSS 9.8
CVE-2023-32560 [CRITICAL] Ivanti Avalanche <v6.4.0.0 - Remote Code Execution
Ivanti Avalanche III{}s{}s'.format(self.name_size, self.value_size),
self.type, self.name_size, self.value_size, self.name, self.value)
# Create a header structure
class HP:
def __init__(self, hdr, payload):
self.hdr = hdr
self.payload = payload
self.pad = b'\x00' * (16 - (len(self.hdr) + len(self.payload)) % 16)
def pack(self):
return b''.join([item.pack() for item in self.hdr]) + \
b''.join([item.pack() for item in self.payload]) + self.pad
# Create a preamble structure
class Preamble:
def __init__(self, hp):
self.msg_size = len(hp.pack()) + 16
self.hdr_size = sum([len(item.pack()) for item in hp.hdr])
self.payload_size = sum([len(item.pack()) for item in hp.payload])
self.unk = 0 # Unknown value
def pack(self):
return struct.pack('>IIII', self.msg_size, self.hdr_size, self.payload_s
Metasploit
Ivanti Avalanche MDM Buffer Overflow
metasploit
Ivanti Avalanche MDM Buffer Overflow
Ivanti Avalanche MDM Buffer Overflow
This module exploits a buffer overflow condition in Ivanti Avalanche MDM versions before v6.4.1. An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in arbitrary code execution with the NT/AUTHORITY SYSTEM permissions. This vulnerability occurs during the processing of 3/5/8/100/101/102 item data types. The program tries to copy the item data using `qmemcopy` to a fixed size data buffer on stack. Upon successful exploitation the attacker gains full access to the target system. This vulnerability has been tested against Ivanti Avalanche MDM v6.4.0.0 on Windows 10.
Bleepingcomputer
Ivanti warns of critical flaws in its Avalanche MDM solution
blogs_bleepingcomputer·2024-04-16·CVSS 9.8
[CRITICAL] Ivanti warns of critical flaws in its Avalanche MDM solution
## Ivanti warns of critical flaws in its Avalanche MDM solution
## Sergiu Gatlan
Ivanti has released security updates to fix 27 vulnerabilities in its Avalanche mobile device management (MDM) solution, two of them critical heap overflows that can be exploited for remote command execution.
Avalanche is used by enterprise admins to remotely manage, deploy software, and schedule updates across large fleets of over 100,000 mobile devices from a single central location.
As the company explained on Wednesday, the two critical security flaws (CVE-2024-24996 and CVE-2024-29204) were found in Avalanche's WLInfoRailService and WLAvalancheService components.
They are both caused by heap-based buffer overflow weaknesses, which can let unauthenticated remote attackers execute arbitrary commands on
Bleepingcomputer
Ivanti releases patches for 13 critical Avalanche RCE flaws
blogs_bleepingcomputer·2023-12-20·CVSS 9.8
[CRITICAL] Ivanti releases patches for 13 critical Avalanche RCE flaws
## Ivanti releases patches for 13 critical Avalanche RCE flaws
## Sergiu Gatlan
Ivanti has released security updates to fix 13 critical security vulnerabilities in the company's Avalanche enterprise mobile device management (MDM) solution.
Avalanche allows admins to manage over 100,000 mobile devices from a single, central location over the Internet, deploy software, and schedule updates.
As Ivanti explained on Wednesday, these security flaws are due to WLAvalancheService stack or heap-based buffer overflow weaknesses reported by Tenable security researchers and Trend Micro's Zero Day Initiative.
Unauthenticated attackers can exploit them in low-complexity attacks that don't require user interaction to gain remote code execution on unpatched systems.
"An attacker sending specially c
Checkpoint
21st August – Threat Intelligence Report
blogs_checkpoint·2023-08-21
CVE-2023-3519 21st August – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 21st August – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 21st August, please download our Threat_Intelligence Bulletin
TOP ATTACKS AND BREACHES
The German Federal Bar (BRAK) Association, which oversees 28 regional bars throughout Germany and represents approximately 166,000 lawyers on a national and international scale, is currently investigating a ransomware attack on its Brussels office. NoEscape ransomware group claimed responsibility for this attack.
Check Point
Unit42
Threat Brief: Multiple Vulnerabilities Including Zero-Day Remote Unauthenticated API Access – CVE-2023-35078 – in Ivanti Endpoint Manager Mobile (Updated)
blogs_unit42·2023-07-29·CVSS 9.8
CVE-2023-35078 [CRITICAL] Threat Brief: Multiple Vulnerabilities Including Zero-Day Remote Unauthenticated API Access – CVE-2023-35078 – in Ivanti Endpoint Manager Mobile (Updated)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Multiple Vulnerabilities Including Zero-Day Remote Unauthenticated API Access – CVE-2023-35078 – in Ivanti Endpoint Manager Mobile (Updated)
Unit 42
Published: July 28, 2023
High Profile Threats
Vulnerabilities
API attacks
CVE-2023-32560
CVE-2023-35078
CVE-2023-35081
CVE-2023-35082
CVE-2023-38035
Ivanti
Zero-day
## Executive Summary
Update: As of August 23, over the last three weeks this incident has developed with three additional vulnerabilities discovered in Ivanti products. The first in MobileIron Core (CVE-2023-35082; the main topic of this threat brief post when first published in July), a second vulnerability discovered in the Ivanti Avalanche product (CVE-2023-32560), and the third in
Unit42
Threat Brief: Multiple Vulnerabilities Including Zero-Day Remote Unauthenticated API Access – CVE-2023-35078 – in Ivanti Endpoint Manager Mobile (Updated)
blogs_unit42·2023-07-29·CVSS 9.8
CVE-2023-35078 [CRITICAL] Threat Brief: Multiple Vulnerabilities Including Zero-Day Remote Unauthenticated API Access – CVE-2023-35078 – in Ivanti Endpoint Manager Mobile (Updated)
## Executive Summary
Update: As of August 23, over the last three weeks this incident has developed with three additional vulnerabilities discovered in Ivanti products. The first in MobileIron Core (CVE-2023-35082; the main topic of this threat brief post when first published in July), a second vulnerability discovered in the Ivanti Avalanche product (CVE-2023-32560), and the third in the Ivanti Sentry product (CVE-2023-38035).
On July 24, 2023, Ivanti Endpoint Manager Mobile (EPMM), previously known as MobileIron Core, publicly disclosed details about an unauthenticated API access zero-day vulnerability. CVE-2023-35078 affects versions 11.10, 11.9 and 11.8, but older versions are also at risk of possible exploitation.
At the time of writing, the only confirmed victims have been Norwegi
http://packetstormsecurity.com/files/174459/Ivanti-Avalance-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/174698/Ivanti-Avalanche-MDM-Buffer-Overflow.htmlhttps://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1?language=en_UShttp://packetstormsecurity.com/files/174459/Ivanti-Avalance-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/174698/Ivanti-Avalanche-MDM-Buffer-Overflow.htmlhttps://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1?language=en_US
2023-08-10
Published