Description
A critical vulnerability has been identified in the Path Traversal mechanism of Ivanti Avalanche before version 6.4.7 that allows a remote unauthenticated attacker to bypass authentication.
Affected Product(s)
- Ivanti Avalanche (Numerous versions up to 6.4.7)
Technical Details
The CVE-2024-12686 vulnerability has been discovered within BeyondTrust’s Privileged Remote Access (PRA) and Remote Support (RS) products. This issue arises from an improper neutralization of special elements used in operating system commands, also known as OS Command Injection. By exploiting this flaw, an attacker who already has administrative privileges can inject arbitrary commands into scripts executed by the system, potentially running these commands as a site user.
Privileged Remote Access (PRA) is a secure platform used by organizations to enable remote access to critical systems. It allows administrative tasks to be executed from a remote location, providing an environment where administrators can perform their duties with appropriate access controls and auditing in place. Remote Support (RS), on the other hand, is deployed to aid helpdesk and technical support operations by enabling remote troubleshooting and issue resolution. The specific method of exploitation stems from improper input validation on components handling commands or scripts.
When an application does not properly sanitize user input, especially from entities that already have a degree of privilege, it becomes susceptible to command injection attacks.An attacker can manipulate input data and craft a payload that gets executed in the context of the system’s operating environment. Discovered by security researchers, this vulnerability carries a CVSS v3 severity score of 7.2, classifying it as high severity. Its significance lies in the combination of attack complexity and the level of access required for exploitation. Although administrative privileges are necessary to execute the attack, the compromised commands can have far-reaching consequences, breaching the core of system operations and potentially resulting in a total system compromise.
Affected versions of BeyondTrust’s PRA include 22.2.1 to 24.3.1, while the RS versions impacted range from 9.0.0 to 24.3.1. Both products facilitate communication over authenticated channels, escalating the risk if command injection attacks are executed within trusted sessions. Worst-case scenarios envision scenarios where adversaries leverage this flaw to pivot within the network, establish persistence mechanisms, or exfiltrate sensitive data from compromised systems. Historical context demonstrates that command injection flaws are some of the most devastating vulnerabilities due to their potential impact.
Threat actors who have previously targeted similar flaws in remote access and support tools have been able to achieve inconspicuous execution of malicious commands, sometimes avoiding detection by traditional security mechanisms. In this case, BeyondTrust’s products, being already integral to the infrastructure of many large organizations, present lucrative targets for cybercriminals.
The breach method stands as follows: an attacker with admin privileges interacts with the application interface or interfaces exposed to trusted admin users. By injecting malformed command sequences into input fields or data streams processed by the application, an attacker can cause the backend to execute those commands. These commands could range from creating new user accounts with elevated privileges, modifying existing configurations, extracting sensitive data repositories, or even implanting backdoors for future exploitation. It should be noted that BeyondTrust has swiftly responded to the disclosure of this vulnerability.
Security alerts and advisories have been published, outlining the nature of the flaw and urging affected users to apply the necessary patches provided by the vendor. This proactive approach is essential to mitigating the risks associated with CVE-2024-12686. Given the critical nature of this vulnerability in both PRA and RS tools, it is paramount for organizations to stay vigilant and prioritize the patching process. The issue underlines the importance of input validation and secure coding practices, reinforcing the need for ongoing security assessments and timely updates. The ultimate goal is to fortify remote access systems against unauthorized command execution, maintaining the integrity and security of organizational IT environments.
Weakness
The vulnerabilities associated with CVE-2024-13179 and related CVEs arise from two primary weaknesses โ improper limitation of pathnames to restricted directories (‘Path Traversal’, CWE-22), and bypassing authentication using alternative paths or channels (CWE-288). Path Traversal allows attackers to navigate directories unauthorized, accessing sensitive files, whereas improperly controlled alternate paths or channels in authentication mechanisms allow attackers to bypass standard security mechanisms and gain unauthorized access.
Impact Assessment
If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive data or execute arbitrary code on the affected system. The potential impact includes unauthorized access to critical system files and directories, leading to data breaches, system compromises, and potentially allowing attackers to install malicious software, manipulate data, and further exploit the compromised system for additional attacks. The critical nature of these vulnerabilities, with a CVSS v3 score of 9.8, underscores the urgent need for remediation to prevent severe security breaches.
Active Exploitation
We have observed activity indicating potential exploitation attempts by malicious entities. Unauthenticated attackers can leverage the identified path traversal vulnerabilities to manipulate the system and gain unauthorized access. The public availability of proof-of-concept exploits increases the likelihood of exploitation attempts targeting vulnerable systems, stressing the importance of urgent patch application and enhanced monitoring for suspicious activities.
Ransomware Association
Currently, there are no specific ransomware associations identified with the vulnerability CVE-2024-13179. However, vulnerabilities that allow unauthorized access and system manipulation can be leveraged as entry points for ransomware attacks. Continuous monitoring and prompt patch application are essential to mitigate the risk of potential ransomware exploitation in the future.
Mitigation and Resolution
We have released a patch that addresses this vulnerability. Please update to version 6.4.7 immediately. This version includes comprehensive fixes for the identified path traversal and authentication bypass vulnerabilities. It is imperative to update all instances of Ivanti Avalanche to the latest version to ensure that security patches are applied effectively, mitigating the risks associated with these critical vulnerabilities.
Recommendations
- We strongly recommend that all customers apply the latest patch as soon as possible.
- Update Ivanti Avalanche to version 6.4.7 to address the identified vulnerabilities.
- Implement enhanced monitoring systems to detect and respond to potential exploitation attempts.
- Perform regular security assessments and penetration testing to identify and mitigate potential vulnerabilities.
- Ensure proper security configurations are in place and avoid exposing sensitive endpoints to unauthorized access.
- Educate and train staff on recognizing and responding to security threats.
- Regularly backup data and maintain recovery procedures to minimize the impact of potential security breaches.
References