CVE-2021-42132: 
Ivanti Avalanche vulnerability analysis and mitigation

A command injection vulnerability (CVE-2021-42132) was discovered in Ivanti Avalanche versions prior to 6.3.3. The vulnerability allows attackers with access to the Inforail Service to perform arbitrary command execution. This security flaw was reported on September 22, 2021, and was publicly disclosed on November 19, 2021 (ZDI Advisory).

The vulnerability exists within the runAgentRestarter method of the PrinterDeviceServer Service. The core issue stems from improper validation of user-supplied strings before their use in system calls. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. It is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command) (NVD).

The vulnerability enables remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche. Although authentication is required, the existing authentication mechanism can be bypassed, allowing attackers to execute code in the context of the service account (ZDI Advisory).

The vulnerability has been fixed in Ivanti Avalanche version 6.3.3. Organizations using affected versions should upgrade to this version or later to mitigate the risk (ZDI Advisory).