Ivanti, a leading provider of mobile device management (MDM) solutions, has recently released security updates to address a total of 27 Critical Flaws in Avalanche MDM Solution.
Among these vulnerabilities, two are classified as critical heap overflows, which have the potential to be exploited for remote command execution.
Avalanche is a widely used MDM solution employed by enterprise administrators to efficiently manage and deploy software updates across large fleets of over 100,000 mobile devices from a centralized location.
Critical Flaws in Avalanche MDM Solution
Ivanti has identified the two critical security flaws, namely CVE-2024-24996 and CVE-2024-29204, within Avalanche’s WLInfoRailService and WLAvalancheService components, respectively. These vulnerabilities require immediate attention and prompt installation of the provided security updates.
The critical vulnerabilities identified in Avalanche’s WLInfoRailService and WLAvalancheService components are both attributed to heap-based buffer overflow weaknesses.
These weaknesses can be exploited by unauthenticated remote attackers to execute arbitrary commands on vulnerable systems. Notably, these attacks can be carried out with minimal complexity and do not require user interaction.
In addition to addressing these Critical Flaws in Avalanche MDM Solution, Ivanti has also released patches for 25 medium and high-severity bugs.
These bugs, if left unaddressed, could potentially enable remote attackers to launch denial-of-service attacks, execute arbitrary commands with SYSTEM-level privileges, extract sensitive information from system memory, and conduct remote code execution attacks.
“We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure. These vulnerabilities were disclosed through our responsible disclosure program,”
“To address the security vulnerabilities listed below, it is highly recommended to download the Avalanche installer and update to the latest Avalanche 6.4.3.”
The company said in a security advisory.
Customers can access the latest Avalanche 6.4.3 release by following this link. Additionally, for detailed information on the upgrade process, please refer to the support article.
Critical Flaws in Avalanche MDM Solution Were Used in Attack on the Norwegian Ministry
In December, Ivanti addressed an additional 13 critical-severity vulnerabilities in the Avalanche MDM solution, specifically targeting remote code execution vulnerabilities. This update followed a previous fix in August for two critical buffer overflow vulnerabilities in Avalanche, collectively known as CVE-2023-32560.
It is worth noting that state-affiliated hackers utilized two zero-day flaws, CVE-2023-35078 and CVE-2023-35081, in Ivanti’s Endpoint Manager Mobile (EPMM) – previously known as MobileIron Core – to breach the networks of several Norwegian government organizations approximately one year ago.
Months after the initial breach, attackers took advantage of a third zero-day vulnerability (CVE-2023-35081) in MobileIron Core, which they combined with CVE-2023-35078. This allowed them to successfully infiltrate the IT systems of around twelve Norwegian ministries.
“Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability,”
“Consequently, CISA and NCSC-NO are concerned about the potential for widespread exploitation in government and private sector networks.”
CISA warned last August.
