CVE-2024-29204

A heap-based buffer overflow vulnerability exists in Ivanti Avalanche prior to 6.4.3.A message sent to Avalanche's WLAvalancheService.exe on TCP port 1777 has the following structure:// be = big-endian strut msg { preamble pre; hp hdrpay; }; struct preamble { be32 MsgSize; // size of hp + 16 be32 HdrSize; // size of hp.hdr be32 PayloadSize; // size of hp.payload be32 unk:24; be32 em:8; // encryption method }; // header + payload struct hp { MuProperty hdr[]; // hdr as array of MuProperty structure(s) // h.cmd // - REQ_REGISTER (18) // - RSP_REGISTER (19) // - REQ_AUTH_DEVICE_KEY (28) // - RSP_AUTH_DEVICE_KEY (29) // - REQ_AUTH_AGENT_KEY (30) // - RSP_AUTH_AGENT_KEY (31) // - REQ_FILE_UPLOAD (10) // - RSP_FILE_UPLOAD (11) // - REQ_FILE_UPLOAD_CONT (12) // - RSP_FILE_UPLOAD_CONT (13) // - ... MuProperty payload[]; // payload as array of MuProperty structure(s) byte pad[]; // zero-padded to 16-byte boundary }; struct MuProperty { be32 type; // property type, valid: 1-9, 100-102 be32 NameSize; be32 ValueSize; byte name[NameSize]; // property name byte value[ValueSize]; // property value // format depends on @type // 3 - hex string // 9 - list of decimal strings separated by ; // 100-102 - list of tokens separated by ; };WLAvalancheService.exe allows upload of a large amount of file data via multiple RSP_FILE_UPLOAD / RSP_FILE_UPLOAD_CONT messages from the client. Each message carries a block of compressed file data in the 'p.parcel' property in the message payload, which is limited to a certain size as preamble.MsgSize has a maximum size (i.e., 0x200000).The compressed and decompressed sizes of a file block are specified in the 'p.parcel.cmp' and 'p.parcel.info' properties, respectively. The last file block transferred is indicated by the 'p.eof' property set to a non-zero value.  WLAvalancheService.exe calculates the decompressed size for all file blocks by adding the decompressed size in each RSP_FILE_UPLOAD / RSP_FILE_UPLOAD_CONT message and allocates a buffer of that size to store the decompressed file data:// WLAvalancheService.exe v6.4.2.0 [...] .text:004C4715 foreach_file_upload_msg: ; CODE XREF: sub_4C4650+E6↓j .text:004C4715 mov eax, [ebp+inmsg] .text:004C4718 mov ecx, [eax+INMSG.pNext] .text:004C471E mov [ebp+inmsg], ecx .text:004C4721 .text:004C4721 loc_4C4721: ; CODE XREF: sub_4C4650+C3↑j .text:004C4721 cmp [ebp+inmsg], 0 .text:004C4725 jz short loc_4C4738 .text:004C4727 mov edx, [ebp+inmsg] .text:004C472A mov eax, [ebp+TotalDecompressedSize] .text:004C472D add eax, [edx+INMSG.DecompressedSize] ; int32 overflow .text:004C4733 mov [ebp+TotalDecompressedSize], eax .text:004C4736 jmp short foreach_file_upload_msg .text:004C4738 ; --------------------------------------------------------------------------- .text:004C4738 .text:004C4738 loc_4C4738: ; CODE XREF: sub_4C4650+D5↑j .text:004C4738 mov ecx, [ebp+TotalDecompressedSize] .text:004C473B push ecx .text:004C473C call operator new(uint) .text:004C4741 add esp, 4 .text:004C4744 mov [ebp+var_74], eax .text:004C4747 mov edx, [ebp+var_74] .text:004C474A mov [ebp+pbDecompressedBuf], edx [...] .text:004C47E5 lea eax, [ebp+pbDecompressedMsg] .text:004C47E8 push eax .text:004C47E9 mov ecx, [ebp+pSession] .text:004C47EF mov edx, [ecx+SESS.field_1BB4] .text:004C47F5 push edx .text:004C47F6 mov eax, [ebp+inmsg] .text:004C47F9 push eax .text:004C47FA mov ecx, [ebp+pSession] .text:004C4800 call decompress_msg ; return true/false .text:004C4805 mov byte ptr [ebp+var_64], al .text:004C4808 mov ecx, [ebp+var_64] .text:004C480B and ecx, 0FFh .text:004C4811 test ecx, ecx .text:004C4813 jz short err_4C4886 .text:004C4815 cmp [ebp+pbDecompressedMsg], 0 .text:004C4819 jz short copy_input_data .text:004C481B mov edx, [ebp+inmsg] .text:004C481E mov ecx, [edx+INMSG.DecompressedSize] .text:004C4824 mov esi, [ebp+pbDecompressedMsg] .text:004C4827 mov edi, [ebp+pbDecompressedBuf] .text:004C482A add edi, [ebp+offset] .text:004C482D mov eax, ecx .text:004C482F shr ecx, 2 .text:004C4832 rep movsd ; copy decompressed data to small .text:004C4832 ; heap buf -> heap overflow .text:004C4834 mov ecx, eax .text:004C4836 and ecx, 3 .text:004C4839 rep movsb [...]An unauthenticated remote attacker can specify a large decompressed size in multiple RSP_FILE_UPLOAD / RSP_FILE_UPLOAD_CONT messages to cause an int32 overflow in the total decompressed size for all file blocks. This can result in a heap-based buffer overflow when decompressed data is copied to a small heap-based buffer.

This Cyber News was published on www.tenable.com. Publication date: Thu, 18 Apr 2024 00:41:03 +0000


Cyber News related to CVE-2024-29204

AWS LetsEncrypt Lambda: Custom TLS Provider - DZone - Trying to renew ... INFO[0000] Checking certificate for domain 'hackernoon.referrs.me' with arn 'arn:aws:acm:us-east-2:004867756392:certificate/72f872fd-e577-43f4-ae38-6833962630af' INFO[0000] Certificate status is 'ISSUED' INFO[0000] Certificate in ...
1 month ago Feeds.dzone.com
Vulnerability Summary for the Week of March 11, 2024 - Published 2024-03-15 CVSS Score not yet calculated Source & Patch Info CVE-2021-47111416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - Product linux - linux Description In the ...
8 months ago Cisa.gov
CVE-2024-29204 - A heap-based buffer overflow vulnerability exists in Ivanti Avalanche prior to 6.4.3.A message sent to Avalanche's WLAvalancheService.exe on TCP port 1777 has the following structure:// be = big-endian strut msg { preamble pre; hp hdrpay; }; struct ...
7 months ago Tenable.com
Vulnerability Summary for the Week of March 4, 2024 - Published 2024-03-06 CVSS Score not yet calculated Source & Patch Info CVE-2023-52584416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - ...
8 months ago Cisa.gov
CVE-2020-29204 - XXL-JOB 2.2.0 allows Stored XSS (in Add User) to bypass the 20-character limit via xxl-job-admin/src/main/java/com/xxl/job/admin/controller/UserController.java. ...
3 years ago
CVE-2021-29204 - A remote xss vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE ...
3 years ago
CVE-2022-29204 - TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.raw_ops.UnsortedSegmentJoin` does not fully validate the input arguments. This results in a `CHECK`-failure which ...
2 years ago
CVE-2023-29204 - XWiki Commons are technical libraries common to several other top level XWiki projects. It is possible to bypass the existing security measures put in place to avoid open redirect by using a redirect such as `//mydomain.com` (i.e. omitting the ...
1 year ago
CVE-2024-37051 - GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 ...
5 months ago Tenable.com
The Top 24 Security Predictions for 2024 - Welcome to the second installment of this comprehensive annual look at global cybersecurity industry predictions from the top security industry vendors, technology magazines, expert thought leaders and many more. Last week, in part one of The Top 24 ...
10 months ago Securityboulevard.com
CVE-2024-9256 - Addressed potential issues where the application could be exposed to a Use-After-Free vulnerability and crash when handling certain checkbox field objects, Doc objects, Annotation objects, or AcroForms, which attackers could exploit to execute remote ...
1 month ago Tenable.com
CVE-2024-9255 - Addressed potential issues where the application could be exposed to a Use-After-Free vulnerability and crash when handling certain checkbox field objects, Doc objects, Annotation objects, or AcroForms, which attackers could exploit to execute remote ...
1 month ago Tenable.com
CVE-2024-9254 - Addressed potential issues where the application could be exposed to a Use-After-Free vulnerability and crash when handling certain checkbox field objects, Doc objects, Annotation objects, or AcroForms, which attackers could exploit to execute remote ...
1 month ago Tenable.com
CVE-2024-9253 - Addressed potential issues where the application could be exposed to a Use-After-Free vulnerability and crash when handling certain checkbox field objects, Doc objects, Annotation objects, or AcroForms, which attackers could exploit to execute remote ...
1 month ago Tenable.com
CVE-2024-9252 - Addressed potential issues where the application could be exposed to a Use-After-Free vulnerability and crash when handling certain checkbox field objects, Doc objects, Annotation objects, or AcroForms, which attackers could exploit to execute remote ...
1 month ago Tenable.com
CVE-2024-9251 - Addressed potential issues where the application could be exposed to a Use-After-Free vulnerability and crash when handling certain checkbox field objects, Doc objects, Annotation objects, or AcroForms, which attackers could exploit to execute remote ...
1 month ago Tenable.com
CVE-2024-9250 - Addressed potential issues where the application could be exposed to a Use-After-Free vulnerability and crash when handling certain checkbox field objects, Doc objects, Annotation objects, or AcroForms, which attackers could exploit to execute remote ...
1 month ago Tenable.com
CVE-2024-9246 - Addressed potential issues where the application could be exposed to a Use-After-Free vulnerability and crash when handling certain checkbox field objects, Doc objects, Annotation objects, or AcroForms, which attackers could exploit to execute remote ...
1 month ago Tenable.com
CVE-2024-9243 - Addressed potential issues where the application could be exposed to a Use-After-Free vulnerability and crash when handling certain checkbox field objects, Doc objects, Annotation objects, or AcroForms, which attackers could exploit to execute remote ...
1 month ago Tenable.com
Securing Gold: Assessing Cyber Threats on Paris 2024 - The next Olympic Games hosted in Paris will take place from 26 July to 11 August 2024, while the Paralympic Games will be carried out from 28 August to 8 September 2024. Paris 2024 estimated the number of spectators for the next edition to be 9,7 ...
10 months ago Blog.sekoia.io
Microsoft Office 2024 now available for Windows and macOS users - As announced earlier in September, starting in Office 2024, Microsoft will also turn off ActiveX controls by default in Word, Excel, PowerPoint, and Visio client apps, a measure likely prompted by ActiveX's well-known security issues. Last month, ...
1 month ago Bleepingcomputer.com
Critical Zimbra Postjournal flaw CVE-2024-45519 actively exploited in the wild. Patch it now! - “Beginning on September 28, @Proofpoint began observing attempts to exploit CVE-2024-45519, a remote code execution vulnerability in Zimbra mail servers. Beginning on September 28, @Proofpoint began observing attempts to exploit CVE-2024-45519, ...
1 month ago Securityaffairs.com
The Top 24 Security Predictions for 2024 - For 2024, top topics range from upcoming elections to regional wars to space exploration to advances in AI. And with technology playing a more central role in every area of life, annual cybersecurity prediction reports, cyber industry forecasts and ...
11 months ago Securityboulevard.com
Ransomware Attack Demands Reach a Staggering $5.2m in 2024 - The average extortion demand per ransomware attack was over $5.2m in the first half of 2024, according to a new analysis by Comparitech. This figure was calculated from 56 known ransom demands issued by threat actors from January-June 2024. The ...
4 months ago Infosecurity-magazine.com
Patch Now: Critical Windows Kerberos Bug Bypasses Microsoft Security - Microsoft eased enterprise security teams into 2024 with a relatively light January security update consisting of patches for 48 unique CVEs, just two of which the company identified as being of critical severity. For the second straight month, ...
10 months ago Darkreading.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)