Ivanti, a global IT solutions provider, has released patches for a series of critical and high-severity vulnerabilities identified in its enterprise mobile device management (MDM) solution, Avalanche. These vulnerabilities, if exploited, could allow an attacker to execute arbitrary code remotely.
The most severe vulnerability, tracked as CVE-2023-32563 and assigned a CVSS score of 9.8, is a directory traversal bug. This flaw was reported by security researchers at Trend Micro’s Zero Day Initiative (ZDI), who noted that the vulnerability resides in the ‘updateSkin’ method of the MDM solution and can be exploited without authentication. In ZDI’s advisory, they stated, “The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of System.”
The latest version of Avalanche also addresses multiple stack-based buffer overflow vulnerabilities, collectively tracked as CVE-2023-32560 and assigned a CVSS score of 8.8. According to the cybersecurity firm Tenable, who discovered the flaw, the vulnerability exists in the Wavelink Avalanche Manager. This component uses a fixed-size stack-based buffer when processing certain types of data. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted message to the service, potentially leading to service disruption or code execution.
Ivanti's latest patch also fixes two other high-severity remote code execution vulnerabilities, CVE-2023-32562 and CVE-2023-32564. Both were discovered and reported through ZDI. These vulnerabilities stem from a “lack of proper validation of user-supplied data”, allowing an attacker to upload arbitrary files and potentially execute code with System privileges.
The remaining three vulnerabilities, CVE-2023-32561, CVE-2023-32565, and CVE-2023-32566, are classified as authentication bypass vulnerabilities in different components of the MDM solution. Ivanti has addressed all seven vulnerabilities in the Avalanche version 22.214.171.124, which was released earlier this month. Both Tenable and ZDI disclosed details about these vulnerabilities only this week. While there is no evidence of these vulnerabilities being exploited in the wild, Ivanti products have previously been targeted in malicious attacks.