Ivanti Patches 13 Critical Security Flaws in Avalanche Enterprise Mobile Device Management Solution

December 20, 2023

Ivanti, a software company, has issued security patches for 13 critical vulnerabilities in its Avalanche enterprise mobile device management (MDM) solution. Avalanche enables administrators to manage over 100,000 mobile devices from a central location, deploy software, and schedule updates. The security flaws are due to stack or heap-based buffer overflow weaknesses in the WLAvalancheService, as reported by security researchers from Tenable and Trend Micro's Zero Day Initiative. These vulnerabilities can be exploited by unauthenticated attackers in low-complexity attacks without user interaction to achieve remote code execution on unpatched systems.

Ivanti stated in a security advisory that, 'An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.' To mitigate these vulnerabilities, Ivanti recommends users to download the Avalanche installer and update to the latest Avalanche 6.4.2. The vulnerabilities affect all supported versions of the products, including Avalanche versions 6.3.1 and above. Older versions are also at risk.

Along with these critical vulnerabilities, Ivanti also patched eight medium- and high-severity bugs that could be exploited in denial of service, remote code execution, and server-side request forgery (SSRF) attacks. All the security vulnerabilities disclosed were addressed in Avalanche v6.4.2.313. Information on upgrading your Avalanche installation is available in an Ivanti support article.

Previously in August, Ivanti fixed two other critical Avalanche buffer overflows, collectively tracked as CVE-2023-32560, which could lead to crashes and arbitrary code execution following successful exploitation. Threat actors had exploited a third MobileIron Core zero-day (CVE-2023-35081) along with CVE-2023-35078 to hack into the IT systems of a dozen Norwegian ministries. Earlier in April, state-affiliated hackers used two other zero-day flaws (CVE-2023-35078 and CVE-2023-35081) in Ivanti's Endpoint Manager Mobile (EPMM), formerly MobileIron Core, to infiltrate the networks of multiple Norwegian government organizations.

MDM systems are attractive targets for threat actors as they provide elevated access to thousands of mobile devices. CISA had previously warned about the potential for widespread exploitation in government and private sector networks due to a previous MobileIron vulnerability.

Related News

• Critical Ivanti Sentry Bug Abused as Zero-Day: Exploit Released
• Ivanti Releases Urgent Patch for Zero-Day Vulnerability in Sentry Gateway
• Ivanti Addresses Critical Flaws in Avalanche Enterprise MDM Solution
• Ivanti Reveals Critical Authentication Bypass Vulnerability in MobileIron Core
• CISA Catalog Includes Second Actively Exploited Ivanti EPMM Flaw

Latest News

• Critical Vulnerability in WordPress Plugin WP Clone Exposes 90,000 Sites to Potential Cyberattacks
• 8220 Gang Exploits Oracle WebLogic Server Flaw to Proliferate Malware
• Critical RCE Vulnerability Found in Perforce Helix Core Server by Microsoft
• Emerging Details on Zero-Click Outlook Remote Code Execution Exploits
• NKAbuse Malware Exploits NKN Blockchain for Stealthy Operations