CVE-2024-50321: 
Ivanti Avalanche vulnerability analysis and mitigation

An infinite loop vulnerability has been identified in Ivanti Avalanche versions prior to 6.4.6. This vulnerability, tracked as CVE-2024-50321, allows remote unauthenticated attackers to cause a denial of service condition. The vulnerability was disclosed on November 12, 2024, and affects the WLAvalancheService service, which by default listens on TCP port 1777 (ZDI Advisory).

The vulnerability stems from a loop with an unreachable exit condition (infinite loop) in the WLAvalancheService component. It has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating that it can be exploited remotely with low attack complexity and requires no privileges or user interaction (NVD).

When successfully exploited, this vulnerability can result in a denial-of-service condition on the affected system, potentially making the Avalanche service unavailable to legitimate users. The impact is limited to availability, with no direct effect on confidentiality or integrity of the system (ZDI Advisory).

Ivanti has released version 6.4.6 of Avalanche to address this vulnerability. Users of affected versions are strongly advised to upgrade to this latest version to mitigate the risk (ASEC Advisory).