CVE-2023-46258: 
Ivanti Avalanche vulnerability analysis and mitigation

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result in a Denial of Service (DoS) or code execution in Ivanti Avalanche. This critical vulnerability (CVE-2023-46258) affects all supported versions of Avalanche 6.3.1 and above, as well as older versions. The vulnerability was discovered by researchers at Trend Micro's Zero Day Initiative and was patched in Avalanche version 6.4.2 released in December 2023 (NVD, ZDI Advisory).

The vulnerability is classified as a Stack-based Buffer Overflow Remote Code Execution vulnerability with a CVSS v3.1 base score of 9.8 (Critical). The specific flaw exists within the WLAvalancheService component and results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. The vulnerability is tracked as CWE-787 (Out-of-bounds Write) (NVD, ZDI Advisory).

An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM. The vulnerability requires no authentication to exploit and can be triggered remotely with low attack complexity. Successful exploitation could lead to complete system compromise through remote code execution or cause denial of service conditions (ZDI Advisory).

Ivanti has released version 6.4.2 of Avalanche to address this vulnerability along with several other security issues. Organizations are strongly recommended to upgrade to Avalanche version 6.4.2.313 to mitigate this vulnerability. The patch was released on December 20, 2023 (Bleeping Computer, Release Notes).