cbcvebase.
CVE-2023-32560
published 2023-08-10

CVE-2023-32560: An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code execution…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
98.92%
99.9th percentile
An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code execution. Thanks to a Researcher at Tenable for finding and reporting. Fixed in version 6.4.1.

Affected

1 ranges
VendorProductVersion rangeFixed in
ivantiavalanche< 6.4.16.4.1

Detection & IOCsextracted from sources · hover to see the quote

port1777
otherIvanti Avalanche MDM item data types 3/5/8/100/101/102 (buffer overflow trigger)
bytes
jmp esp @ 0x00412b81
bytes
stack pivot: add esp, 0x00000FA0 ; retn 0x0004 @ 0x0052d484
  • Monitor TCP port 1777 for specially crafted messages sent to the Wavelink Avalanche Manager; oversized item data payloads (e.g. 0x800 bytes) in item types 3/5/8/100/101/102 are indicative of exploitation attempts.
  • Detect exploitation by looking for the Avalanche Manager process spawning child processes (e.g. cmd.exe) running as NT AUTHORITY\SYSTEM, which indicates successful RCE via the buffer overflow.
  • The exploit message structure uses a Preamble (4x uint32 big-endian: msg_size, hdr_size, payload_size, unk=0) followed by padded header/payload items. Network signatures should look for this big-endian framing on port 1777 with anomalously large item data fields.
  • ·The JMP ESP (0x00412b81) and stack pivot (0x0052d484) gadget addresses in the public PoC are specific to Ivanti Avalanche MDM v6.4.0.0 on Windows 10; these addresses will differ on other versions or OS configurations, so byte-signature detections based on these values may miss variants targeting other builds.
  • ·The vulnerability is fixed in version 6.4.1; systems already patched to 6.4.1 or later (including 6.4.3) are not vulnerable, so detections should be scoped to unpatched instances.
  • ·Exploitation requires no user authentication and is low-complexity, meaning any network-accessible Avalanche Manager on port 1777 is at risk without additional access controls.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.8HIGHCVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.