CVE-2023-46257: 
Ivanti Avalanche vulnerability analysis and mitigation

CVE-2023-46257 is a critical vulnerability in Ivanti Avalanche's Mobile Device Server that was disclosed on December 19, 2023. The vulnerability affects all supported versions of Avalanche 6.3.1 and above, as well as older versions. This stack-based buffer overflow vulnerability allows unauthenticated attackers to send specially crafted data packets to the Mobile Device Server (NVD, Ivanti Release Notes).

The vulnerability is a stack-based buffer overflow in the WLAvalancheService component that stems from improper validation of user-supplied data length before copying it to a stack-based buffer. It has received a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (ZDI Advisory).

Successful exploitation of this vulnerability could result in denial of service (DoS) conditions or remote code execution in the context of SYSTEM privileges. An attacker could potentially gain complete control over the affected system, allowing them to execute arbitrary code with elevated privileges (ZDI Advisory, NVD).

Ivanti has released version 6.4.2.313 of Avalanche to address this vulnerability along with several other security issues. Organizations are strongly recommended to upgrade to this version to mitigate the risk. The patch was released on December 20, 2023 (Bleeping Computer, Ivanti Release Notes).