CVE-2024-24992
📋 TL;DR
This path traversal vulnerability in Ivanti Avalanche allows authenticated remote attackers to execute arbitrary commands with SYSTEM privileges. It affects Ivanti Avalanche versions before 6.4.3. Attackers can leverage this to gain complete control over affected systems.
💻 Affected Systems
- Ivanti Avalanche
📦 What is this software?
Avalanche by Ivanti
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges leading to data theft, ransomware deployment, lateral movement, and persistent backdoor installation.
Likely Case
Attackers gain SYSTEM-level command execution, enabling them to steal sensitive data, install malware, or pivot to other systems in the network.
If Mitigated
With proper network segmentation and access controls, impact is limited to the affected Avalanche server, though SYSTEM compromise remains severe.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. ZDI-CAN-22854 indicates active research.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.4.3
Vendor Advisory: https://forums.ivanti.com/s/article/Avalanche-6-4-3-Security-Hardening-and-CVEs-addressed?language=en_US
Restart Required: Yes
Instructions:
1. Download Ivanti Avalanche 6.4.3 from official sources. 2. Backup current configuration and data. 3. Run the installer to upgrade to version 6.4.3. 4. Restart the Avalanche server and verify functionality.
🔧 Temporary Workarounds
Network Segmentation
allRestrict access to Avalanche web interface to only trusted administrative networks.
Authentication Hardening
allImplement strong authentication policies, multi-factor authentication, and monitor for suspicious login attempts.
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the Avalanche web interface.
- Monitor for unusual process creation or command execution events on the Avalanche server.
🔍 How to Verify
Check if Vulnerable:
Check Avalanche version in web interface or via installed programs list. If version is below 6.4.3, system is vulnerable.Check Version:
Check via Windows Programs and Features or Avalanche web interface login page.Verify Fix Applied:
Confirm version is 6.4.3 or higher in Avalanche web interface or installed programs.📡 Detection & Monitoring
Log Indicators:
- Unusual file path access patterns in web logs
- Suspicious command execution events in Windows Event Logs (Event ID 4688)
- Multiple failed authentication attempts followed by successful login
Network Indicators:
- Unusual outbound connections from Avalanche server
- Traffic patterns suggesting command and control communication
SIEM Query:
source="avalanche_logs" AND (path="*../*" OR command="*cmd*" OR command="*powershell*")