Ivanti recently released Avalanche 6.4.2, an update to its mobile device management (MDM) product [9]. This release addresses a total of 22 vulnerabilities, including critical ones reported by security researchers from Tenable and Trend Micro’s Zero Day Initiative. These vulnerabilities allowed unauthenticated attackers to remotely execute code on unpatched systems.
Description
Avalanche 6.4.2 focuses on addressing vulnerabilities in the WLAvalancheService stack and a heap-based buffer overflow vulnerability. By sending specially crafted data packets to the Mobile Device Server [2] [3], hackers could cause memory corruption, leading to denial of service or arbitrary code execution [2] [3]. Ivanti promptly addressed these vulnerabilities and has fixes available for all impacted versions [6]. It is highly recommended to update to Avalanche v6.4.2.313 to mitigate these risks [1].
In addition to the critical vulnerabilities [5] [9], Avalanche 6.4.2 also addresses high and medium severity bugs, including multiple memory corruption vulnerabilities [6]. Ivanti has promptly addressed these vulnerabilities and has fixes available for all impacted versions [6]. More detailed information can be found in the release notes and security advisory for Avalanche 6.4.2 [6].
It is worth noting that Ivanti MDM products have been targeted in the past [9], but there is currently no evidence of active attacks. Ivanti has previously faced vulnerabilities in their Endpoint Manager Mobile solution and a leak in the Ivanti Sentry gateway [2]. Hackers have been exploiting zero-day vulnerabilities in Ivanti software since April [2].
These vulnerabilities affect all supported versions of the product [4] [5] [8], including Avalanche versions 6.3.1 and above [4]. Older versions/releases are also at risk [4].
Conclusion
Ivanti Avalanche 6.4.2 is a mobile device management system that allows administrators to manage over 100,000 devices from a central location [8]. Ivanti has recently fixed vulnerabilities in Avalanche 6.4.2 that were reported by Tenable and ZDI [8]. These vulnerabilities include stack or heap buffer overflow weaknesses in the WLAvalancheService [7] [8]. Unauthenticated attackers can exploit these vulnerabilities to gain remote code execution (RCE) privileges on unpatched systems [8]. To address these vulnerabilities [6] [7] [8] [9], Ivanti strongly recommends downloading the Avalanche installer and updating to the latest version, 6.4.2 [7] [8] [9]. These vulnerabilities affect all supported versions of Avalanche [4] [5] [8], including 6.3.1 and above [8]. Ivanti has also fixed medium and high severity vulnerabilities that could be used by attackers for denial of service [8], remote code execution [1] [5] [7] [8] [9], and server-side request forgery attacks [1] [7] [8]. All disclosed vulnerabilities have been fixed in Avalanche version 6.4.2.313 [7] [8]. In addition, Ivanti has released support articles with further upgrade information [8]. In August [3] [8], Ivanti also fixed two critical Avalanche buffer overflow vulnerabilities known as CVE-2023-32560 [8]. These vulnerabilities could lead to crashes and arbitrary code execution if successfully exploited [8]. The US Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) have warned that these vulnerabilities could be used to attack government and private industry networks [8].
References
[1] https://ciso2ciso.com/ivanti-releases-patches-for-13-critical-avalanche-rce-flaws-source-www-bleepingcomputer-com/
[2] https://www.techzine.eu/news/security/114632/ivanti-fixes-14-critical-vulnerabilities-in-avalanche-mdm-solution/
[3] https://www.techzine.nl/nieuws/security/536892/ivanti-lost-14-kritieke-kwetsbaarheden-op-in-avalanche-mdm-oplossing/
[4] https://cyber.vumetric.com/security-news/2023/12/20/ivanti-releases-patches-for-13-critical-avalanche-rce-flaws/
[5] https://vulnera.com/newswire/ivanti-patches-13-critical-security-flaws-in-avalanche-enterprise-mobile-device-management-solution/
[6] https://www.ivanti.com/blog/new-ivanti-avalanche-vulnerabilities
[7] https://www.notiulti.com/ivanti-lanza-parches-para-13-fallas-criticas-de-avalanche-rce/
[8] https://cn-sec.com/archives/2324702.html
[9] https://www.infosecurity-magazine.com/news/ivanti-customers-patch-13-critical/