CVE-2021-42128: 
Ivanti Avalanche vulnerability analysis and mitigation

An exposed dangerous function vulnerability (CVE-2021-42128) was identified in Ivanti Avalanche versions prior to 6.3.3. The vulnerability affects the inforail Service component and allows privilege escalation via Enterprise Server Service. This security issue was disclosed on December 7, 2021 (NVD).

The vulnerability exists within the SetUser class of Ivanti Avalanche's Enterprise Server Service. The specific flaw stems from the lack of proper authentication controls prior to allowing access to functionality. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a critical severity level (NVD, ZDI).

The vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche. When successfully exploited, an attacker can leverage this vulnerability to bypass authentication on the system and potentially gain unauthorized access to sensitive functionality (ZDI).

The vulnerability has been fixed in Ivanti Avalanche version 6.3.3. Organizations using affected versions should upgrade to version 6.3.3 or later to address this security issue (ZDI).