CVE-2024-47010
📋 TL;DR
CVE-2024-47010 is a path traversal vulnerability in Ivanti Avalanche that allows remote unauthenticated attackers to bypass authentication mechanisms. This affects all Ivanti Avalanche installations before version 6.4.5, potentially exposing sensitive systems to unauthorized access.
💻 Affected Systems
- Ivanti Avalanche
📦 What is this software?
Avalanche by Ivanti
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to gain administrative access, exfiltrate sensitive data, deploy ransomware, or pivot to other network systems.
Likely Case
Unauthorized access to the Avalanche management interface leading to configuration changes, device management compromise, and potential lateral movement within the network.
If Mitigated
Limited impact with proper network segmentation, strong authentication controls, and monitoring in place to detect exploitation attempts.
🎯 Exploit Status
Path traversal vulnerabilities typically have low exploitation complexity, and unauthenticated access makes this attractive for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.4.5
Vendor Advisory: https://forums.ivanti.com/s/article/Ivanti-Avalanche-6-4-5-Security-Advisory
Restart Required: Yes
Instructions:
1. Download Ivanti Avalanche 6.4.5 from the Ivanti support portal. 2. Backup current configuration and database. 3. Run the installer to upgrade to version 6.4.5. 4. Restart the Avalanche service or server as required.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to the Avalanche server to only trusted IP addresses or networks.
Use firewall rules to limit access to Avalanche ports (typically 1777, 1778, 1779)
Web Application Firewall
allDeploy a WAF with path traversal protection rules to block exploitation attempts.
Configure WAF rules to detect and block ../ sequences and other path traversal patterns
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the Avalanche server from untrusted networks
- Enable detailed logging and monitoring for authentication bypass attempts and unusual access patterns
🔍 How to Verify
Check if Vulnerable:
Check the Avalanche version in the web interface or via the About dialog in the Avalanche console.Check Version:
In Avalanche web interface: Navigate to Help > About or check the server properties in the console.Verify Fix Applied:
Confirm version shows 6.4.5 or higher in the Avalanche interface and test authentication requirements for all access paths.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful access without credentials
- Unusual file path access patterns in web server logs
- Access to administrative URLs from unauthenticated sources
Network Indicators:
- HTTP requests containing ../ sequences or path traversal patterns to Avalanche endpoints
- Unauthenticated access to protected endpoints
SIEM Query:
source="avalanche_logs" AND (uri="*../*" OR (status=200 AND auth="none"))