dmesg on ICS showing web process crash multiple times with same IP and SP addresses each time
https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/280/140/413/280/971/original/0ad30e70a74288ae.png
https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/280/140/413/280/971/original/0ad30e70a74288ae.png
Notices where this attachment appears
-
Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Saturday, 12-Apr-2025 01:16:44 JST 
Will Dormann
And per the excellent folks at watchTowr, we can see what the vulnerability is:
A stack buffer overflow in X-Forwarded-ForNo need to find a specific endpoint or do something clever. Simply make a web request to anywhere on an ICS system with a large X-Forwarded-For HTTP header and you'll get a stack buffer overflow on the system. 🤦♂️
And due to the fact that the Ivanti web server does a fork() without a corresponding exec(), we get the same memory layout every single time.
Now, about Ivanti's use of remediated... The function where the overflow happens just happens to have been rewritten in a way that avoids the overflow.
Did Ivanti recognize the possibility of a stack buffer overflow and not recognize it as a security issue? Or did they just happen to change code to accidentally avoid the overflow (and decide to use exploit mitigations as well).
You decide...
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.