Ivanti Patches 13 Critical Security Flaws in Avalanche Enterprise Mobile Device Management Solution

December 20, 2023

Ivanti, a software company, has issued security patches for 13 critical vulnerabilities in its Avalanche enterprise mobile device management (MDM) solution. Avalanche enables administrators to manage over 100,000 mobile devices from a central location, deploy software, and schedule updates. The security flaws are due to stack or heap-based buffer overflow weaknesses in the WLAvalancheService, as reported by security researchers from Tenable and Trend Micro's Zero Day Initiative. These vulnerabilities can be exploited by unauthenticated attackers in low-complexity attacks without user interaction to achieve remote code execution on unpatched systems.

Ivanti stated in a security advisory that, 'An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.' To mitigate these vulnerabilities, Ivanti recommends users to download the Avalanche installer and update to the latest Avalanche 6.4.2. The vulnerabilities affect all supported versions of the products, including Avalanche versions 6.3.1 and above. Older versions are also at risk.

Along with these critical vulnerabilities, Ivanti also patched eight medium- and high-severity bugs that could be exploited in denial of service, remote code execution, and server-side request forgery (SSRF) attacks. All the security vulnerabilities disclosed were addressed in Avalanche v6.4.2.313. Information on upgrading your Avalanche installation is available in an Ivanti support article.

Previously in August, Ivanti fixed two other critical Avalanche buffer overflows, collectively tracked as CVE-2023-32560, which could lead to crashes and arbitrary code execution following successful exploitation. Threat actors had exploited a third MobileIron Core zero-day (CVE-2023-35081) along with CVE-2023-35078 to hack into the IT systems of a dozen Norwegian ministries. Earlier in April, state-affiliated hackers used two other zero-day flaws (CVE-2023-35078 and CVE-2023-35081) in Ivanti's Endpoint Manager Mobile (EPMM), formerly MobileIron Core, to infiltrate the networks of multiple Norwegian government organizations.

MDM systems are attractive targets for threat actors as they provide elevated access to thousands of mobile devices. CISA had previously warned about the potential for widespread exploitation in government and private sector networks due to a previous MobileIron vulnerability.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.