CVE-2022-36974 – This vulnerability in Ivanti Avalanche allows a... (How to Fix)

Q: What is the severity of CVE-2022-36974?

CVE-2022-36974 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Ivanti Avalanche allows authenticated remote attackers to bypass authentication and execute arbitrary code via insecure deserialization in the Web File Server service. Attackers can gain code execution with service account privileges. Affects Ivanti Avalanche installations version 6.3.2.3490.

📋 TL;DR

This vulnerability in Ivanti Avalanche allows authenticated remote attackers to bypass authentication and execute arbitrary code via insecure deserialization in the Web File Server service. Attackers can gain code execution with service account privileges. Affects Ivanti Avalanche installations version 6.3.2.3490.

💻 Affected Systems

Products:

Ivanti Avalanche

Versions: 6.3.2.3490 and earlier

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Web File Server service to be running and accessible.

📦 What is this software?

Avalanche by Ivanti

View all CVEs affecting Avalanche →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining service account privileges, lateral movement within network, data exfiltration, and persistence establishment.

🟠

Likely Case

Remote code execution leading to service disruption, data theft, and potential ransomware deployment.

🟢

If Mitigated

Limited impact with proper network segmentation, authentication controls, and monitoring detecting exploitation attempts.

🌐 Internet-Facing: HIGH - Web File Server service is typically internet-facing, allowing remote exploitation.

🏢 Internal Only: HIGH - Even internal attackers can exploit this if they have network access to the service.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Authentication bypass exists, making exploitation easier than typical authenticated vulnerabilities. ZDI advisory suggests exploit is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.3.4 and later

Vendor Advisory: https://download.wavelink.com/Files/avalanche_v6.3.4_release_notes.txt

Restart Required: Yes

Instructions:

1. Download Ivanti Avalanche 6.3.4 or later from official vendor site. 2. Backup current configuration. 3. Install update following vendor documentation. 4. Restart all Avalanche services.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to Web File Server service to only trusted IPs/networks.

Use firewall rules to block inbound traffic to port 8080 (default Web File Server port) from untrusted networks

Service Disablement

windows

Temporarily disable Web File Server service if not required for operations.

sc stop "Ivanti Avalanche Web File Server"
sc config "Ivanti Avalanche Web File Server" start= disabled

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the Web File Server service
Enable detailed logging and monitoring for suspicious deserialization attempts and authentication bypass patterns

🔍 How to Verify

Check if Vulnerable:

Check Avalanche version via Control Panel > Programs > Programs and Features, or run 'wmic product get name,version' and look for Ivanti Avalanche version 6.3.2.3490 or earlier.

Check Version:

wmic product where "name like '%Avalanche%'" get name,version

Verify Fix Applied:

Verify version is 6.3.4 or later using same method, and ensure Web File Server service is running the updated version.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication attempts to Web File Server
Deserialization errors in application logs
Suspicious process creation from Avalanche service account

Network Indicators:

Unusual traffic patterns to Web File Server port (default 8080)
Malformed serialization payloads in network traffic

SIEM Query:

source="avalanche_logs" AND (event_type="authentication_bypass" OR event_type="deserialization_error")

📊 Metadata

CVE ID: CVE-2022-36974

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: March 29, 2023

Last Updated: November 21, 2024

🔗 References

https://download.wavelink.com/Files/avalanche_v6.3.4_release_notes.txt Release Notes
https://www.zerodayinitiative.com/advisories/ZDI-22-779/ Third Party Advisory,VDB Entry
https://download.wavelink.com/Files/avalanche_v6.3.4_release_notes.txt Release Notes
https://www.zerodayinitiative.com/advisories/ZDI-22-779/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-36974, you might also want to check these: