CVE-2023-28127 – This path traversal vulnerability in Ivanti Ava... (How to Fix)

Q: What is the severity of CVE-2023-28127?

CVE-2023-28127 has a CVSS score of 7.5 (HIGH). This path traversal vulnerability in Ivanti Avalanche allows attackers to access arbitrary files on the server by manipulating file path parameters. It affects all Avalanche versions 6.3.x and below, potentially exposing sensitive configuration files, logs, and system information to unauthorized users.

📋 TL;DR

This path traversal vulnerability in Ivanti Avalanche allows attackers to access arbitrary files on the server by manipulating file path parameters. It affects all Avalanche versions 6.3.x and below, potentially exposing sensitive configuration files, logs, and system information to unauthorized users.

💻 Affected Systems

Products:

Ivanti Avalanche

Versions: 6.3.x and below

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the getLogFile functionality specifically; requires network access to Avalanche server

📦 What is this software?

Avalanche by Ivanti

View all CVEs affecting Avalanche →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through exposure of credentials, configuration files, or sensitive data leading to lateral movement and privilege escalation.

🟠

Likely Case

Information disclosure of sensitive system files, logs, and configuration data that could be used for reconnaissance or further attacks.

🟢

If Mitigated

Limited exposure of non-critical files if proper access controls and network segmentation are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Directory traversal attacks are well-understood and easy to automate; ZDI has published technical details

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.4.0 or later

Vendor Advisory: https://forums.ivanti.com/s/article/ZDI-CAN-17769-Ivanti-Avalanche-getLogFile-Directory-Traversal-Information-Disclosure?language=en_US

Restart Required: Yes

Instructions:

1. Download Avalanche 6.4.0 or later from Ivanti portal. 2. Backup current configuration. 3. Run installer with administrative privileges. 4. Restart Avalanche services.

🔧 Temporary Workarounds

Network Access Restriction

windows

Restrict network access to Avalanche server to trusted IPs only

Windows Firewall: New-InboundFirewallRule -DisplayName 'Avalanche Restrict' -Direction Inbound -LocalPort 80,443 -Protocol TCP -RemoteAddress 192.168.1.0/24 -Action Allow

Web Application Firewall

all

Configure WAF to block directory traversal patterns

ModSecurity: SecRule ARGS "@contains ../" "id:1001,phase:2,deny,msg:'Path Traversal Attempt'

🧯 If You Can't Patch

Implement strict network segmentation to isolate Avalanche server from untrusted networks
Deploy web application firewall with path traversal detection rules

🔍 How to Verify

Check if Vulnerable:

Check Avalanche version via web interface or registry: HKEY_LOCAL_MACHINE\SOFTWARE\Wavelink\Avalanche\Version

Check Version:

reg query "HKLM\SOFTWARE\Wavelink\Avalanche" /v Version

Verify Fix Applied:

Verify version is 6.4.0 or higher and test getLogFile endpoint with traversal payloads returns error

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing '../' or '..\' patterns to getLogFile endpoint
Access to unexpected file paths in web server logs

Network Indicators:

HTTP GET requests with encoded traversal sequences (%2e%2e%2f, ..%2f)
Multiple failed attempts to access system directories

SIEM Query:

source="web_access.log" AND (uri="*getLogFile*" AND (uri="*../*" OR uri="*..\\*"))

📊 Metadata

CVE ID: CVE-2023-28127

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: May 9, 2023

Last Updated: January 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28127, you might also want to check these: