Ivanti Avalanche WLInfoRailService.exe Off-By-One Unauthenticated DoS - Research Advisory - #CVE-2024-36136
An off-by-one denial-of-service (DoS) vulnerability was identified in Ivanti Avalanche's WLInfoRailService.exe version 6.4.3.0 and earlier, which could be exploited by an unauthenticated remote attacker to terminate the process. This vulnerability is triggered when the service processes a payload consisting entirely of space characters, leading to a memory access violation. The issue was initially reported by Tenable on May 28, 2024, and was patched by Ivanti on August 13, 2024, with the release of version 6.4.4.0. The vulnerability has been assigned CVE ID CVE-2024-36136 and carries a CVSSv3 base score of 7.5, indicating high severity. Users are strongly encouraged to upgrade to the latest version to mitigate this risk. Tenable continues to emphasize the importance of reporting vulnerabilities to enhance product security and protect customers.