CVE-2022-36981 – This is a critical path traversal vulnerability... (How to Fix)

Q: What is the severity of CVE-2022-36981?

CVE-2022-36981 has a CVSS score of 9.8 (CRITICAL). This is a critical path traversal vulnerability in Ivanti Avalanche that allows authenticated attackers to bypass authentication mechanisms and execute arbitrary code with service account privileges. It affects Ivanti Avalanche 6.3.3.101 installations where attackers can manipulate file paths to achieve remote code execution.

📋 TL;DR

This is a critical path traversal vulnerability in Ivanti Avalanche that allows authenticated attackers to bypass authentication mechanisms and execute arbitrary code with service account privileges. It affects Ivanti Avalanche 6.3.3.101 installations where attackers can manipulate file paths to achieve remote code execution.

💻 Affected Systems

Products:

Ivanti Avalanche

Versions: 6.3.3.101

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the DeviceLogResource class specifically. Authentication is required but can be bypassed.

📦 What is this software?

Avalanche by Ivanti

View all CVEs affecting Avalanche →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining service account privileges, enabling lateral movement, data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Unauthorized code execution leading to data theft, system manipulation, and potential ransomware deployment within the affected network segment.

🟢

If Mitigated

Limited impact with proper network segmentation and authentication controls, potentially only affecting the Avalanche service itself.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

ZDI-CAN-15966 was assigned. Authentication bypass makes exploitation easier despite requiring initial authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.3.4

Vendor Advisory: https://download.wavelink.com/Files/avalanche_v6.3.4_release_notes.txt

Restart Required: Yes

Instructions:

1. Download Ivanti Avalanche 6.3.4 from official sources. 2. Backup current configuration and data. 3. Run the installer to upgrade from 6.3.3.101 to 6.3.4. 4. Restart the Avalanche service and verify functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to Avalanche server to only trusted management networks

Authentication Hardening

all

Implement multi-factor authentication and strong password policies for all Avalanche accounts

🧯 If You Can't Patch

Implement strict network access controls to limit exposure to trusted IP addresses only
Monitor for suspicious authentication attempts and file path manipulation in logs

🔍 How to Verify

Check if Vulnerable:

Check Avalanche version in administration console or via 'About' menu. If version is 6.3.3.101, system is vulnerable.

Check Version:

Check via Avalanche web interface: Administration > About, or examine installed programs in Windows Control Panel

Verify Fix Applied:

Verify version shows 6.3.4 or higher in administration console and test that DeviceLogResource functionality works without errors.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication patterns
Suspicious file path requests to DeviceLogResource endpoints
Unexpected process execution from Avalanche service account

Network Indicators:

Unusual outbound connections from Avalanche server
Traffic to DeviceLogResource API with path traversal patterns

SIEM Query:

source="avalanche" AND (event_type="authentication" AND result="success" FROM unusual_ip) OR (uri="*DeviceLogResource*" AND path="*../*")

📊 Metadata

CVE ID: CVE-2022-36981

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: March 29, 2023

Last Updated: November 21, 2024

🔗 References

https://download.wavelink.com/Files/avalanche_v6.3.4_release_notes.txt Release Notes
https://www.zerodayinitiative.com/advisories/ZDI-22-786/ Third Party Advisory,VDB Entry
https://download.wavelink.com/Files/avalanche_v6.3.4_release_notes.txt Release Notes
https://www.zerodayinitiative.com/advisories/ZDI-22-786/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-36981, you might also want to check these: