An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
An attacker sends specially crafted data packets to the Mobile Device Server. Improper processing of these packets leads to memory corruption (memory corruption) as a result of writing outside the allocated buffer (out-of-bounds write). The consequence may be both destabilization of the server process and takeover of control over the application execution flow.
An attacker can remotely execute arbitrary code on the server (RCE) or cause its unavailability (DoS). In case of successful RCE, complete takeover of the vulnerable system is possible.
Ivanti Avalanche should be updated to version 6.4.2 or newer, in which the vulnerability has been fixed. Detailed instructions are available in the official release notes from the manufacturer at the address provided in the references.
Ivanti Avalanche in versions earlier than 6.4.2, running on Microsoft Windows platform. Details in the release notes for version 6.4.2.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HIvanti Avalanche
APPIvanti< 6.4.2Microsoft Windows
OSMicrosoftwszystkie wersje
Related vulnerabilities
Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP
Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows
PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit