CVE-2022-36977: 
Ivanti Avalanche vulnerability analysis and mitigation

CVE-2022-36977 is a critical vulnerability discovered in Ivanti Avalanche version 6.3.2.3490. The vulnerability, identified as ZDI-CAN-15449, was disclosed on May 26, 2022. It affects the Certificate Management Server service of Ivanti Avalanche and allows remote attackers to execute arbitrary code. Although authentication is required, the existing authentication mechanism can be bypassed (Zero Day Initiative).

The vulnerability stems from the lack of proper validation of user-supplied data within the Certificate Management Server service, which can result in deserialization of untrusted data. It has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-502 (Deserialization of Untrusted Data) (Zero Day Initiative, NVD).

An attacker can leverage this vulnerability to execute code in the context of the service account. Given the CVSS score of 9.8, this vulnerability represents a critical risk to affected systems, potentially allowing complete compromise of the target system (Zero Day Initiative).

Ivanti has addressed this vulnerability in version 6.3.4 of Avalanche. Users are strongly advised to upgrade to this version to protect against potential exploitation. The fix is documented in the release notes as addressing ZDI-CAN-15449 (Release Notes).