CVE-2023-46220: 
Ivanti Avalanche vulnerability analysis and mitigation

A critical vulnerability (CVE-2023-46220) was discovered in Ivanti Avalanche's Mobile Device Server. The vulnerability affects all supported versions of Avalanche (versions 6.3.1 and above), with older versions also at risk. This stack-based buffer overflow vulnerability was discovered by researchers at Trend Micro's Zero Day Initiative and was patched in December 2023 (ZDI, Ivanti Release Notes).

The vulnerability exists within the WLAvalancheService component of Ivanti Avalanche. The specific flaw results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. The vulnerability has been assigned a CVSS v3.1 score of 9.8 (Critical), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating it can be exploited remotely without requiring authentication or user interaction (NVD, ZDI).

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of SYSTEM privileges. The vulnerability can lead to both Denial of Service (DoS) conditions and potential code execution on affected systems (NVD, Arctic Wolf).

Ivanti has released version 6.4.2.313 of Avalanche to address this vulnerability. Organizations are strongly recommended to upgrade to this latest version to mitigate the risk. The fix was included as part of a security update that addressed multiple critical vulnerabilities (Ivanti Release Notes, Bleeping Computer).