CVE-2022-36978 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2022-36978?

CVE-2022-36978 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on Ivanti Avalanche systems by bypassing authentication and exploiting insecure deserialization in the Notification Server service. Attackers can gain code execution with service account privileges. Affects Ivanti Avalanche installations version 6.3.2.3490.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Ivanti Avalanche systems by bypassing authentication and exploiting insecure deserialization in the Notification Server service. Attackers can gain code execution with service account privileges. Affects Ivanti Avalanche installations version 6.3.2.3490.

💻 Affected Systems

Products:

Ivanti Avalanche

Versions: 6.3.2.3490 and earlier

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Notification Server service to be running. Authentication bypass makes this exploitable even with authentication enabled.

📦 What is this software?

Avalanche by Ivanti

View all CVEs affecting Avalanche →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining service account privileges, lateral movement within network, data exfiltration, and persistence establishment.

🟠

Likely Case

Remote code execution leading to service disruption, data theft, and potential ransomware deployment.

🟢

If Mitigated

Limited impact due to network segmentation, proper authentication controls, and monitoring preventing successful exploitation.

🌐 Internet-Facing: HIGH - Authentication bypass allows remote attackers to exploit without valid credentials.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts can exploit to gain elevated privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Authentication bypass exists, making exploitation easier. ZDI-CAN-15448 reference suggests detailed technical analysis available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.3.4 and later

Vendor Advisory: https://download.wavelink.com/Files/avalanche_v6.3.4_release_notes.txt

Restart Required: Yes

Instructions:

1. Download Ivanti Avalanche 6.3.4 or later from official sources. 2. Backup current configuration. 3. Install the update following vendor instructions. 4. Restart the Notification Server service and verify functionality.

🔧 Temporary Workarounds

Network Segmentation

windows

Restrict network access to Notification Server service (default port 1777/TCP) to trusted hosts only.

Windows Firewall: New-NetFirewallRule -DisplayName "Block Avalanche Notification" -Direction Inbound -LocalPort 1777 -Protocol TCP -Action Block

Service Account Hardening

windows

Reduce privileges of the service account running Notification Server to minimum required.

sc.exe config "Avalanche Notification Server" obj= "NT AUTHORITY\LocalService"

🧯 If You Can't Patch

Implement strict network access controls to limit exposure of Notification Server service
Enable detailed logging and monitoring for deserialization attempts and authentication bypass patterns

🔍 How to Verify

Check if Vulnerable:

Check Avalanche version in Control Panel > Programs > Programs and Features. If version is 6.3.2.3490 or earlier, system is vulnerable.

Check Version:

wmic product where name="Ivanti Avalanche" get version

Verify Fix Applied:

Verify version is 6.3.4 or later. Test Notification Server functionality remains operational after patch.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication attempts to Notification Server
Deserialization errors in application logs
Process creation by Notification Server service account

Network Indicators:

Unexpected connections to port 1777/TCP
Malformed serialized data packets to Notification Server

SIEM Query:

source="avalanche_logs" AND (event_id="500" OR message="*deserialization*" OR message="*authentication bypass*")

📊 Metadata

CVE ID: CVE-2022-36978

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: March 29, 2023

Last Updated: November 21, 2024

🔗 References

https://download.wavelink.com/Files/avalanche_v6.3.4_release_notes.txt Release Notes
https://www.zerodayinitiative.com/advisories/ZDI-22-783/ Third Party Advisory,VDB Entry
https://download.wavelink.com/Files/avalanche_v6.3.4_release_notes.txt Release Notes
https://www.zerodayinitiative.com/advisories/ZDI-22-783/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-36978, you might also want to check these: