CVE-2024-50320: 
Ivanti Avalanche vulnerability analysis and mitigation

An infinite loop vulnerability has been identified in Ivanti Avalanche versions prior to 6.4.6. This vulnerability, tracked as CVE-2024-50320, allows remote unauthenticated attackers to cause a denial of service condition. The vulnerability was discovered and reported on October 8, 2024, and was publicly disclosed on November 13, 2024 (ZDI Advisory).

The vulnerability exists within the WLAvalancheService service, which listens on TCP port 1777 by default. The specific flaw stems from a lack of proper exit condition in a loop, classified as CWE-835 (Loop with Unreachable Exit Condition). The vulnerability has received a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating that it can be exploited remotely with low attack complexity and requires no privileges or user interaction (NVD, ZDI Advisory).

When successfully exploited, this vulnerability can result in a denial-of-service condition on the affected system. The impact is limited to availability, with no direct effect on confidentiality or integrity of the system (ZDI Advisory).

Ivanti has released version 6.4.6 to address this vulnerability. Users of affected versions are strongly advised to upgrade to this latest version (ASEC).