Summary: Ivanti has released security updates to fix 27 vulnerabilities in its Avalanche mobile device management (MDM) solution, including two critical heap overflows that can be exploited for remote command execution.
Threat Actor: Unknown | N/A
Victim: Ivanti | N/A
Key Point :
- Ivanti has patched 27 vulnerabilities in its Avalanche MDM solution, including two critical heap overflows that allow for remote command execution.
- The vulnerabilities could be exploited by remote attackers to trigger denial-of-service attacks, execute arbitrary commands, read sensitive information, and perform remote code execution attacks.
- No customers have been reported as being exploited prior to the public disclosure of the vulnerabilities.
- Ivanti recommends users to update to the latest Avalanche 6.4.3 version to address the security vulnerabilities.
Ivanti has released security updates to fix 27 vulnerabilities in its Avalanche mobile device management (MDM) solution, two of them critical heap overflows that can be exploited for remote command execution.
Avalanche is used by enterprise admins to remotely manage, deploy software, and schedule updates across large fleets of over 100,000 mobile devices from a single central location.
As the company explained on Wednesday, the two critical security flaws (CVE-2024-24996 and CVE-2024-29204) were found in Avalanche’s WLInfoRailService and WLAvalancheService components.
They are both caused by heap-based buffer overflow weaknesses, which can let unauthenticated remote attackers execute arbitrary commands on vulnerable systems in low-complexity attacks that don’t require user interaction.
Today, Ivanti also patched 25 medium and high-severity bugs that remote attackers could exploit to trigger denial-of-service attacks, execute arbitrary commands as SYSTEM, read sensitive information from memory, and remote code execution attacks.
“We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure. These vulnerabilities were disclosed through our responsible disclosure program,” the company said in a security advisory published on Tuesday.
“To address the security vulnerabilities listed below, it is highly recommended to download the Avalanche installer and update to the latest Avalanche 6.4.3.”
Customers can find the latest Avalanche 6.4.3 release here and more information regarding upgrade steps in this support article.
Ivanti patched 13 more critical-severity remote code execution vulnerabilities in the Avalanche MDM solution in December after fixing two other critical Avalanche buffer overflows collectively tracked as CVE-2023-32560 in August.
State-affiliated hackers used two zero-day flaws (CVE-2023-35078 and CVE-2023-35081) in Ivanti’s Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, to breach the networks of multiple Norwegian government organizations one year ago.
Months later, attackers chained a third MobileIron Core zero-day (CVE-2023-35081) with CVE-2023-35078 to also hack into the IT systems of a dozen Norwegian ministries.
“Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability,” CISA warned last August.
“Consequently, CISA and NCSC-NO are concerned about the potential for widespread exploitation in government and private sector networks.”
“An interesting youtube video that may be related to the article above”