CVE-2024-13180
📋 TL;DR
CVE-2024-13180 is a path traversal vulnerability in Ivanti Avalanche that allows remote unauthenticated attackers to access sensitive files and information. This affects Ivanti Avalanche versions before 6.4.7 and represents an incomplete fix for CVE-2024-47011. Organizations using vulnerable versions of Ivanti Avalanche are at risk of information disclosure.
💻 Affected Systems
- Ivanti Avalanche
📦 What is this software?
Avalanche by Ivanti
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through sensitive configuration file access leading to credential theft, lateral movement, and potential ransomware deployment.
Likely Case
Unauthorized access to sensitive configuration files, passwords, and system information enabling further attacks.
If Mitigated
Limited information disclosure with no critical system access due to proper network segmentation and access controls.
🎯 Exploit Status
Remote unauthenticated exploitation makes this particularly dangerous. No public exploit code is known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.4.7
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-6-4-7-Multiple-CVEs
Restart Required: Yes
Instructions:
1. Download Ivanti Avalanche 6.4.7 from the Ivanti support portal. 2. Backup current configuration and data. 3. Run the installer to upgrade to version 6.4.7. 4. Restart the Avalanche service. 5. Verify the upgrade was successful.
🔧 Temporary Workarounds
Network Access Restriction
WindowsRestrict network access to Ivanti Avalanche to only trusted IP addresses and networks.
Use firewall rules to limit access: netsh advfirewall firewall add rule name="Restrict Avalanche" dir=in action=allow protocol=TCP localport=1777 remoteip=192.168.1.0/24
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Ivanti Avalanche from critical systems
- Deploy web application firewall (WAF) with path traversal protection rules
🔍 How to Verify
Check if Vulnerable:
Check the Avalanche version in the web interface under Help > About or examine the installation directory for version files.Check Version:
Check the Avalanche installation directory for version.txt or examine the web interface at https://[avalanche-server]:1777/help/aboutVerify Fix Applied:
Verify the version shows 6.4.7 or higher in the Avalanche web interface under Help > About.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in Avalanche logs
- Multiple failed path traversal attempts
- Access to sensitive configuration files from unauthorized sources
Network Indicators:
- Unusual HTTP requests with ../ patterns to Avalanche server
- Multiple requests for sensitive file paths from single IP
SIEM Query:
source="avalanche.log" AND ("..\" OR "../" OR "%2e%2e%2f") AND response_code=200