CVE-2023-46261: 
Ivanti Avalanche vulnerability analysis and mitigation

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result in a Denial of Service (DoS) or code execution in Ivanti Avalanche. The vulnerability affects all supported versions of Avalanche versions 6.3.1 and above, with older versions also at risk. The issue was discovered by researchers at Trend Micro's Zero Day Initiative and was patched in Avalanche version 6.4.2 (Ivanti Release Notes).

The specific flaw exists within the WLInfoRailService component and is classified as a heap-based buffer overflow vulnerability. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited remotely without requiring authentication or user interaction (ZDI Advisory).

An attacker can leverage this vulnerability to execute code in the context of SYSTEM, potentially gaining complete control over the affected system. The successful exploitation could lead to both Denial of Service (DoS) conditions and arbitrary code execution on vulnerable installations (NVD).

Ivanti has released version 6.4.2 of Avalanche to address this vulnerability. Organizations are strongly recommended to upgrade to Avalanche version 6.4.2.313, which contains the security fix. The patch should be applied following organizational patching and testing guidelines to avoid operational impact (Ivanti Release Notes).