CyberSecurityBoard
Sponsor Register Login

CVE-2024-29204

A heap-based buffer overflow vulnerability exists in Ivanti Avalanche prior to 6.4.3.A message sent to Avalanche's WLAvalancheService.exe on TCP port 1777 has the following structure:// be = big-endian strut msg { preamble pre; hp hdrpay; }; struct preamble { be32 MsgSize; // size of hp + 16 be32 HdrSize; // size of hp.hdr be32 PayloadSize; // size of hp.payload be32 unk:24; be32 em:8; // encryption method }; // header + payload struct hp { MuProperty hdr[]; // hdr as array of MuProperty structure(s) // h.cmd // - REQ_REGISTER (18) // - RSP_REGISTER (19) // - REQ_AUTH_DEVICE_KEY (28) // - RSP_AUTH_DEVICE_KEY (29) // - REQ_AUTH_AGENT_KEY (30) // - RSP_AUTH_AGENT_KEY (31) // - REQ_FILE_UPLOAD (10) // - RSP_FILE_UPLOAD (11) // - REQ_FILE_UPLOAD_CONT (12) // - RSP_FILE_UPLOAD_CONT (13) // - ... MuProperty payload[]; // payload as array of MuProperty structure(s) byte pad[]; // zero-padded to 16-byte boundary }; struct MuProperty { be32 type; // property type, valid: 1-9, 100-102 be32 NameSize; be32 ValueSize; byte name[NameSize]; // property name byte value[ValueSize]; // property value // format depends on @type // 3 - hex string // 9 - list of decimal strings separated by ; // 100-102 - list of tokens separated by ; };WLAvalancheService.exe allows upload of a large amount of file data via multiple RSP_FILE_UPLOAD / RSP_FILE_UPLOAD_CONT messages from the client. Each message carries a block of compressed file data in the 'p.parcel' property in the message payload, which is limited to a certain size as preamble.MsgSize has a maximum size (i.e., 0x200000).The compressed and decompressed sizes of a file block are specified in the 'p.parcel.cmp' and 'p.parcel.info' properties, respectively. The last file block transferred is indicated by the 'p.eof' property set to a non-zero value.  WLAvalancheService.exe calculates the decompressed size for all file blocks by adding the decompressed size in each RSP_FILE_UPLOAD / RSP_FILE_UPLOAD_CONT message and allocates a buffer of that size to store the decompressed file data:// WLAvalancheService.exe v6.4.2.0 [...] .text:004C4715 foreach_file_upload_msg: ; CODE XREF: sub_4C4650+E6↓j .text:004C4715 mov eax, [ebp+inmsg] .text:004C4718 mov ecx, [eax+INMSG.pNext] .text:004C471E mov [ebp+inmsg], ecx .text:004C4721 .text:004C4721 loc_4C4721: ; CODE XREF: sub_4C4650+C3↑j .text:004C4721 cmp [ebp+inmsg], 0 .text:004C4725 jz short loc_4C4738 .text:004C4727 mov edx, [ebp+inmsg] .text:004C472A mov eax, [ebp+TotalDecompressedSize] .text:004C472D add eax, [edx+INMSG.DecompressedSize] ; int32 overflow .text:004C4733 mov [ebp+TotalDecompressedSize], eax .text:004C4736 jmp short foreach_file_upload_msg .text:004C4738 ; --------------------------------------------------------------------------- .text:004C4738 .text:004C4738 loc_4C4738: ; CODE XREF: sub_4C4650+D5↑j .text:004C4738 mov ecx, [ebp+TotalDecompressedSize] .text:004C473B push ecx .text:004C473C call operator new(uint) .text:004C4741 add esp, 4 .text:004C4744 mov [ebp+var_74], eax .text:004C4747 mov edx, [ebp+var_74] .text:004C474A mov [ebp+pbDecompressedBuf], edx [...] .text:004C47E5 lea eax, [ebp+pbDecompressedMsg] .text:004C47E8 push eax .text:004C47E9 mov ecx, [ebp+pSession] .text:004C47EF mov edx, [ecx+SESS.field_1BB4] .text:004C47F5 push edx .text:004C47F6 mov eax, [ebp+inmsg] .text:004C47F9 push eax .text:004C47FA mov ecx, [ebp+pSession] .text:004C4800 call decompress_msg ; return true/false .text:004C4805 mov byte ptr [ebp+var_64], al .text:004C4808 mov ecx, [ebp+var_64] .text:004C480B and ecx, 0FFh .text:004C4811 test ecx, ecx .text:004C4813 jz short err_4C4886 .text:004C4815 cmp [ebp+pbDecompressedMsg], 0 .text:004C4819 jz short copy_input_data .text:004C481B mov edx, [ebp+inmsg] .text:004C481E mov ecx, [edx+INMSG.DecompressedSize] .text:004C4824 mov esi, [ebp+pbDecompressedMsg] .text:004C4827 mov edi, [ebp+pbDecompressedBuf] .text:004C482A add edi, [ebp+offset] .text:004C482D mov eax, ecx .text:004C482F shr ecx, 2 .text:004C4832 rep movsd ; copy decompressed data to small .text:004C4832 ; heap buf -> heap overflow .text:004C4834 mov ecx, eax .text:004C4836 and ecx, 3 .text:004C4839 rep movsb [...]An unauthenticated remote attacker can specify a large decompressed size in multiple RSP_FILE_UPLOAD / RSP_FILE_UPLOAD_CONT messages to cause an int32 overflow in the total decompressed size for all file blocks. This can result in a heap-based buffer overflow when decompressed data is copied to a small heap-based buffer.

This Cyber News was published on www.tenable.com. Publication date: Thu, 18 Apr 2024 00:41:03 +0000


Cyber News related to CVE-2024-29204

Vulnerability Summary for the Week of March 11, 2024 - Published 2024-03-15 CVSS Score not yet calculated Source & Patch Info CVE-2021-47111416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - Product linux - linux Description In the ...
3 months ago Cisa.gov
Vulnerability Summary for the Week of March 4, 2024 - Published 2024-03-06 CVSS Score not yet calculated Source & Patch Info CVE-2023-52584416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - ...
3 months ago Cisa.gov
CVE-2024-37051 - GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 ...
3 weeks ago Tenable.com
The Top 24 Security Predictions for 2024 - Welcome to the second installment of this comprehensive annual look at global cybersecurity industry predictions from the top security industry vendors, technology magazines, expert thought leaders and many more. Last week, in part one of The Top 24 ...
6 months ago Securityboulevard.com
CVE-2024-29204 - A heap-based buffer overflow vulnerability exists in Ivanti Avalanche prior to 6.4.3.A message sent to Avalanche's WLAvalancheService.exe on TCP port 1777 has the following structure:// be = big-endian strut msg { preamble pre; hp hdrpay; }; struct ...
2 months ago Tenable.com
CVE-2020-29204 - XXL-JOB 2.2.0 allows Stored XSS (in Add User) to bypass the 20-character limit via xxl-job-admin/src/main/java/com/xxl/job/admin/controller/UserController.java. ...
3 years ago
CVE-2021-29204 - A remote xss vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE ...
3 years ago
CVE-2022-29204 - TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.raw_ops.UnsortedSegmentJoin` does not fully validate the input arguments. This results in a `CHECK`-failure which ...
2 years ago
CVE-2023-29204 - XWiki Commons are technical libraries common to several other top level XWiki projects. It is possible to bypass the existing security measures put in place to avoid open redirect by using a redirect such as `//mydomain.com` (i.e. omitting the ...
1 year ago
Securing Gold: Assessing Cyber Threats on Paris 2024 - The next Olympic Games hosted in Paris will take place from 26 July to 11 August 2024, while the Paralympic Games will be carried out from 28 August to 8 September 2024. Paris 2024 estimated the number of spectators for the next edition to be 9,7 ...
6 months ago Blog.sekoia.io
The Top 24 Security Predictions for 2024 - For 2024, top topics range from upcoming elections to regional wars to space exploration to advances in AI. And with technology playing a more central role in every area of life, annual cybersecurity prediction reports, cyber industry forecasts and ...
6 months ago Securityboulevard.com
Ransomware Attack Demands Reach a Staggering $5.2m in 2024 - The average extortion demand per ransomware attack was over $5.2m in the first half of 2024, according to a new analysis by Comparitech. This figure was calculated from 56 known ransom demands issued by threat actors from January-June 2024. The ...
5 days ago Infosecurity-magazine.com
Patch Now: Critical Windows Kerberos Bug Bypasses Microsoft Security - Microsoft eased enterprise security teams into 2024 with a relatively light January security update consisting of patches for 48 unique CVEs, just two of which the company identified as being of critical severity. For the second straight month, ...
5 months ago Darkreading.com
Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability - On July 1, 2024, a critical signal handler race condition vulnerability was disclosed in OpenSSH servers on glibc-based Linux systems. Using Palo Alto Networks Xpanse data, we observed 23 million instances of OpenSSH servers including all versions. ...
5 days ago Unit42.paloaltonetworks.com
MOVEit Transfer Flaws Push Security Defense Into a Race With Attackers - Attackers appear to be pounding away at a couple of critical bugs that Progress Software disclosed this week in its MOVEit file transfer application, with nearly the same ferocity as they did the zero-day flaw the company disclosed almost exactly a ...
1 week ago Darkreading.com
$937 Bounty Awarded for Privilege Escalation and Local File Inclusion Vulnerabilities Patched in MasterStudy LMS WordPress Plugin - On February 25th, 2024, during our second Bug Bounty Extravaganza, we received a submission for a Privilege Escalation vulnerability in MasterStudy LMS, a WordPress plugin with more than 10,000 active installations. The next day on February 26th, ...
2 months ago Wordfence.com
CyberPower PowerPanel Enterprise Power Device Network Utility Multiple Vulnerabilities - February 2, 2024 - Tenable attempts to establish a security contact with the vendor. February 7, 2024 - Tenable discloses issues to vendor. March 18, 2024 - Vendor states test version should be available by early April. March 28, 2024 - Vendor states ...
1 month ago Tenable.com
CISA warns Fortinet zero-day vulnerability under attack - CISA urged users to address two critical Fortinet vulnerabilities in products that are commonly targeted by the Chinese nation-state threat group Volt Typhoon, and one flaw is already being exploited in the wild. Fortinet published two separate ...
4 months ago Techtarget.com
Google Chrome Zero-Day Bug Under Attack, Allows Code Injection - Google has patched a high-severity zero-day bug in its Chrome Web browser that attackers are actively exploiting. The vulnerability, assigned as CVE-2024-0519, is the first Chrome zero-day bug that Google has disclosed in 2024, and the second in the ...
5 months ago Darkreading.com
Top 3 Cybersecurity Trends for SME Business Leaders in 2024 - In this article, I'll condense our collaboration's insights into three key trends for 2024, backed up by data and research from all areas of cybersecurity practice. These emerging patterns pertain to organizations of all shapes and sizes - but, make ...
6 months ago Cybersecuritynews.com
Eight Cybersecurity Trends To Watch For 2024 - Michelle Drolet is CEO of Towerwall, a specialized cybersecurity firm offering compliance and professional cybersecurity solutions. In 2024, for cybersecurity, we're entering an era where advanced AI tools and intricate social engineering tactics are ...
6 months ago Forbes.com
Threat landscape for industrial automation systems, Q1 2024 - In the first quarter of 2024, the percentage of ICS computers on which malicious objects were blocked decreased by 0.3 pp from the previous quarter to 24.4%. Compared to the first quarter of 2023, the percentage decreased by 1.3 pp. Percentage of ICS ...
1 month ago Securelist.com
Recent TeamCity Vulnerability Exploited in Ransomware Attacks - A TeamCity vulnerability disclosed recently in controversial circumstances is being exploited in ransomware attacks, according to the product's developer and cybersecurity companies. On March 4, JetBrains, the developer of the TeamCity build ...
3 months ago Securityweek.com
Ivanti US Faces Security Crisis, Threatening Worldwide Systems - In a recent development, a critical server-side request forgery vulnerability has been discovered in Ivanti Connect Secure and Ivanti Policy Secure servers, marked as CVE-2024-21893. Security experts have confirmed that this vulnerability is being ...
4 months ago Cysecurity.news
Microsoft Exchange Server Flaw Exploited as a Zero-Day Bug - Microsoft has identified one of the critical vulnerabilities in Exchange Server that the company disclosed in February's Patch Tuesday update as actually being a zero-day threat that attackers are already actively exploiting. CVE-2024-21410 is an ...
4 months ago Darkreading.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)