CVE-2024-23529: 
Ivanti Avalanche vulnerability analysis and mitigation

An out-of-bounds read vulnerability (CVE-2024-23529) was discovered in the WLAvalancheService component of Ivanti Avalanche versions prior to 6.4.3. The vulnerability was disclosed on April 18, 2024, and allows an unauthenticated remote attacker to read sensitive information in memory under certain conditions (NVD, ZDI).

The vulnerability exists within the WLAvalancheService, which listens on TCP port 1777 by default. The specific flaw results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. The vulnerability has been assigned a CVSS v3.0 base score of 5.3 (Medium) with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with low attack complexity and no required privileges or user interaction (ZDI).

The successful exploitation of this vulnerability allows an attacker to read sensitive information stored in memory. This information disclosure could potentially be leveraged in conjunction with other vulnerabilities to execute arbitrary code in the context of SYSTEM (ZDI).

Ivanti has released version 6.4.3 of Avalanche to address this vulnerability. Organizations are advised to update to this version immediately to mitigate the risk (ZDI).