Ivanti has issued a security advisory for its Avalanche mobile device management (MDM) product [7], urging users to update to the latest version, Avalanche 643 [1] [2] [3] [5] [8] [9], to address critical vulnerabilities [2] [4] [5] [7] [8].
Description
Among the vulnerabilities addressed in the update are heap overflow bugs in the WLInfoRailService and WLAvalancheService components, including CVE-2024-24996 and CVE-2024-29204 [1] [2] [3] [6], which could potentially allow arbitrary command execution [8]. These vulnerabilities have a CVSS score of 9.8 and pose a significant risk of remote command execution. The update also addresses other high- and medium-severity vulnerabilities that could lead to denial-of-service attacks and sensitive information disclosure, with CVSS scores ranging from 5.3 to 9.8 [7]. Ivanti had previously patched 13 critical vulnerabilities in Avalanche in December 2023 [7]. While there is no evidence of active exploitation [8], immediate upgrades to version 643 are recommended to protect against these security risks.
Conclusion
It is crucial for users to promptly download the Avalanche installer and update to version 643 to mitigate the risks posed by these vulnerabilities. Ivanti’s products have been targeted by state-sponsored threat actors in the past [7], underscoring the importance of staying vigilant and proactive in addressing security vulnerabilities.
References
[1] https://fieldeffect.com/blog/ivanti-addresses-critical-security-flaws-avalanche-mdm
[2] https://securityaffairs.com/161952/security/ivanti-avalanche-mdm-critical-flaws.html
[3] https://www.cert.be/en/advisory/warning-critical-vulnerabilities-ivanti-avalanche
[4] https://digital.nhs.uk/cyber-alerts/2024/cc-4478
[5] https://cyber.vumetric.com/security-news/2024/04/16/ivanti-warns-of-critical-flaws-in-its-avalanche-mdm-solution/
[6] https://www.techradar.com/pro/security/another-ivanti-service-has-been-forced-to-patch-multiple-security-flaws
[7] https://www.infosecurity-magazine.com/news/ivanti-patches-two-critical/
[8] https://www.scmagazine.com/brief/over-two-dozen-ivanti-avalanche-vulnerabilities-addressed
[9] https://www.darkreading.com/vulnerabilities-threats/ivanti-releases-fixes-for-more-than-2-dozen-vulnerabilities