CVE-2023-32566

9.1 CRITICAL

Denial of Service

📋 TL;DR

CVE-2023-32566 is a vulnerability in Ivanti Avalanche that allows attackers to send specially crafted requests leading to sensitive data leakage or resource-based denial-of-service attacks. This affects organizations using Ivanti Avalanche for mobile device management. The vulnerability is fixed in version 6.4.1.

💻 Affected Systems

Products:

• Ivanti Avalanche

Versions: Versions prior to 6.4.1

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: Affects default installations of Ivanti Avalanche; specific configurations may vary risk level.

📦 What is this software?

Avalanche by Ivanti

View all CVEs affecting Avalanche →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through data exfiltration of sensitive mobile device management data, credentials, and configuration files, followed by resource exhaustion causing service disruption.

🟠

Likely Case

Partial data leakage of configuration information and potential service degradation through resource consumption attacks.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, potentially only affecting isolated components.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires sending specially crafted requests but does not require authentication, making exploitation relatively straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.4.1

Vendor Advisory: https://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1?language=en_US

Restart Required: Yes

Instructions:

1. Download Ivanti Avalanche 6.4.1 from the Ivanti support portal. 2. Backup current configuration and database. 3. Run the installer to upgrade to version 6.4.1. 4. Restart the Avalanche server and verify functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to Avalanche server to only trusted IP addresses and networks.

Web Application Firewall Rules

all

Implement WAF rules to block suspicious request patterns targeting the Avalanche web interface.

🧯 If You Can't Patch

• Implement strict network access controls to limit exposure to trusted sources only.
• Monitor system logs for unusual request patterns and resource consumption spikes.

🔍 How to Verify

Check if Vulnerable:

Copy

Check the Avalanche server version in the web interface under Help > About or via the server console.

Check Version:

Copy

Not applicable - use web interface or server console for version check.

Verify Fix Applied:

Copy

Confirm version is 6.4.1 or higher in the Avalanche interface and test normal functionality.

📡 Detection & Monitoring

Log Indicators:

• Unusual HTTP request patterns to Avalanche endpoints
• Increased memory or CPU usage on Avalanche server
• Error logs showing malformed requests

Network Indicators:

• Unusual traffic spikes to Avalanche server ports (typically 8080, 8443)
• Requests with abnormal parameters or headers

SIEM Query:

Copy

source="avalanche_logs" AND (http_status=400 OR http_status=500) AND request_size>threshold

📊 Metadata

CVE ID: CVE-2023-32566

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Published: August 10, 2023

Last Updated: November 21, 2024

🔗 References

• https://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1?language=en_US Vendor Advisory
• https://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1?language=en_US Vendor Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON