CVE-2022-36983 – This critical authentication bypass vulnerabili... (How to Fix)

Q: What is the severity of CVE-2022-36983?

CVE-2022-36983 has a CVSS score of 9.8 (CRITICAL). This critical authentication bypass vulnerability in Ivanti Avalanche allows remote attackers to gain unauthorized access without credentials. The flaw exists in the SetSettings class where authentication checks are missing. All Ivanti Avalanche installations using vulnerable versions are affected.

📋 TL;DR

This critical authentication bypass vulnerability in Ivanti Avalanche allows remote attackers to gain unauthorized access without credentials. The flaw exists in the SetSettings class where authentication checks are missing. All Ivanti Avalanche installations using vulnerable versions are affected.

💻 Affected Systems

Products:

Ivanti Avalanche

Versions: Versions prior to 6.3.4

Operating Systems: Windows Server (typically)

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Avalanche by Ivanti

View all CVEs affecting Avalanche →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to modify configurations, deploy malicious packages, access sensitive data, and potentially pivot to other systems.

🟠

Likely Case

Unauthorized access leading to configuration changes, data exfiltration, and potential privilege escalation within the Avalanche environment.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to vulnerable systems.

🌐 Internet-Facing: HIGH - CVSS 9.8 indicates critical risk for internet-facing systems due to unauthenticated remote exploitation.

🏢 Internal Only: HIGH - Even internally, this allows any network user to bypass authentication and gain unauthorized access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

ZDI-CAN-15919 indicates coordinated disclosure. No public exploit code available but trivial to weaponize given the simple authentication bypass nature.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.3.4

Vendor Advisory: https://download.wavelink.com/Files/avalanche_v6.3.4_release_notes.txt

Restart Required: Yes

Instructions:

1. Download Ivanti Avalanche 6.3.4 from official vendor portal. 2. Backup current configuration and database. 3. Run installer to upgrade to version 6.3.4. 4. Restart Avalanche services.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to Avalanche management interface using firewall rules

# Example Windows Firewall: New-NetFirewallRule -DisplayName "Block Avalanche External" -Direction Inbound -LocalPort 1777,1778 -Protocol TCP -Action Block
# Example Linux iptables: iptables -A INPUT -p tcp --dport 1777:1778 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate Avalanche servers from untrusted networks
Deploy web application firewall (WAF) rules to block unauthorized access attempts to SetSettings endpoints

🔍 How to Verify

Check if Vulnerable:

Check Avalanche version via web interface or installation directory. Versions below 6.3.4 are vulnerable.

Check Version:

On Windows: reg query "HKLM\SOFTWARE\Wavelink\Avalanche" /v Version

Verify Fix Applied:

Verify version shows 6.3.4 or higher in Avalanche web interface under Help > About.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated access attempts to /avalanche/SetSettings endpoints
Configuration changes without corresponding user authentication logs
Unusual administrative activity from unexpected IP addresses

Network Indicators:

HTTP requests to SetSettings endpoints without authentication headers
Traffic to Avalanche ports (typically 1777, 1778) from unauthorized sources

SIEM Query:

source="avalanche.log" AND (uri="/SetSettings" OR uri="*SetSettings*") AND NOT (user!="" OR auth_success="true")

📊 Metadata

CVE ID: CVE-2022-36983

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: March 29, 2023

Last Updated: November 21, 2024

🔗 References

https://download.wavelink.com/Files/avalanche_v6.3.4_release_notes.txt Release Notes
https://www.zerodayinitiative.com/advisories/ZDI-22-788/ Third Party Advisory,VDB Entry
https://download.wavelink.com/Files/avalanche_v6.3.4_release_notes.txt Release Notes
https://www.zerodayinitiative.com/advisories/ZDI-22-788/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-36983, you might also want to check these: