CVE-2022-36972
📋 TL;DR
CVE-2022-36972 is a critical SQL injection vulnerability in Ivanti Avalanche that allows remote attackers to bypass authentication. The flaw exists in the ProfileDaoImpl class where user-supplied input is improperly incorporated into SQL queries. Organizations running affected versions of Ivanti Avalanche are vulnerable to complete system compromise.
💻 Affected Systems
- Ivanti Avalanche
📦 What is this software?
Avalanche by Ivanti
⚠️ Risk & Real-World Impact
Worst Case
Remote unauthenticated attackers gain administrative access to the Avalanche system, potentially leading to full network compromise, data exfiltration, and ransomware deployment.
Likely Case
Attackers bypass authentication to gain administrative privileges, allowing them to modify configurations, deploy malicious payloads, and access sensitive device management data.
If Mitigated
With proper network segmentation and access controls, impact is limited to the Avalanche system itself, preventing lateral movement to other critical assets.
🎯 Exploit Status
The vulnerability requires sending a crafted HTTP request to the vulnerable endpoint. No authentication is required, making exploitation straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.3.4 or later
Vendor Advisory: https://download.wavelink.com/Files/avalanche_v6.3.4_release_notes.txt
Restart Required: Yes
Instructions:
1. Download Ivanti Avalanche 6.3.4 or later from the Ivanti support portal. 2. Backup current configuration and database. 3. Run the installer to upgrade. 4. Restart the Avalanche service. 5. Verify the update completed successfully.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to the Avalanche server to only trusted management networks
Web Application Firewall
allDeploy a WAF with SQL injection protection rules in front of the Avalanche server
🧯 If You Can't Patch
- Immediately isolate the Avalanche server from the internet and restrict internal access to only necessary administrators
- Implement strict network monitoring and alerting for suspicious authentication attempts and SQL injection patterns
🔍 How to Verify
Check if Vulnerable:
Check the Avalanche version in the web interface under Help > About. If version is 6.3.2.3490 or earlier, the system is vulnerable.Check Version:
Not applicable - check via web interface at https://[avalanche-server]/avalanche/Verify Fix Applied:
After patching, verify the version shows 6.3.4 or later in the web interface. Test authentication functionality to ensure it's working properly.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts from unexpected IPs
- SQL error messages in application logs
- Multiple failed login attempts followed by successful admin access
Network Indicators:
- HTTP requests containing SQL injection patterns to /avalanche/ endpoints
- Unusual outbound connections from the Avalanche server
SIEM Query:
source="avalanche" AND (event_type="authentication" AND result="success" AND user="admin" AND src_ip NOT IN [trusted_ips]) OR (message="*SQL*" OR message="*syntax*" OR message="*query*")