Exploit Code Released for Severe Ivanti Avalanche Vulnerability (CVE-2024-29204)

Exploit code is now available for a critical vulnerability (CVE-2024-29204) that has been identified in Ivanti Avalanche, a widely deployed mobile device management (MDM) solution used by enterprises. This flaw, rated 9.8 on the CVSS scale, allows unauthenticated remote attackers to execute arbitrary code on vulnerable systems.

Why This Matters

Ivanti Avalanche is a popular mobile device management (MDM) solution used by organizations worldwide to manage thousands of mobile devices. Successful exploitation of this vulnerability could grant attackers unfettered control over those devices, including:

• Data Theft: Exfiltrate sensitive information like device data, user credentials, and business-critical files.
• Ransomware Deployment: Encrypt data and demand payment, potentially disrupting operations.
• Network Intrusion: Use compromised devices as a gateway to move laterally within a corporate network.

Worryingly, proof-of-concept exploit code has been released, increasing the likelihood of attacks targeting the CVE-2024-29204 vulnerability. This makes immediate patching a top priority.

Understanding the Vulnerability

The flaw resides in the WLAvalancheService component of all Ivanti Avalanche versions before 6.4.3. It is a Heap Overflow vulnerability that allows remote unauthenticated attackers to execute arbitrary commands on the affected systems. This can be achieved without any user interaction through a series of low-complexity attacks, making it particularly dangerous and easy to exploit.

The vulnerability is caused by a heap-based buffer overflow issue. Specifically, it arises within the WLAvalancheService.exe, which permits the upload of extensive file data via multiple RSP_FILE_UPLOAD and RSP_FILE_UPLOAD_CONT messages from a client. Each message carries a block of compressed file data in the ‘p.parcel’ property of the message payload, which has a size cap set by the preamble.MsgSize, with a maximum allowable size of 0x200000.

During the process, the compressed and decompressed sizes of a file block are defined in the ‘p.parcel.cmp’ and ‘p.parcel.info’ properties, respectively. The transmission of the final file block is indicated by setting the ‘p.eof’ property to a non-zero value. WLAvalancheService.exe then calculates the total decompressed size for all file blocks from these messages and allocates a corresponding buffer to store the decompressed data.

However, an attacker can exploit this mechanism by specifying an abnormally large decompressed size in multiple RSP_FILE_UPLOAD / RSP_FILE_UPLOAD_CONT messages, leading to an int32 overflow. This overflow results in a heap-based buffer overflow when the decompressed data exceeds and spills over the allocated buffer size, allowing the execution of arbitrary code.

Company Response and Solutions

Ivanti has promptly responded to the disclosure of this flaw, which was first identified by a researcher from Tenable. The company has not recorded any exploits of this vulnerability in the wild before its public disclosure and credits the finding to its responsible disclosure program. In their security advisory released on Tuesday, Ivanti strongly recommended that customers download the Avalanche installer and update to the latest version, Avalanche 6.4.3, to mitigate this vulnerability.

Customers are urged to access the latest release via the official Ivanti link provided in their advisory and follow the detailed upgrade steps outlined in the support article to ensure protection against potential exploits.