Ivanti has released security updates to fix 27 vulnerabilities in its Avalanche mobile device management (MDM) solution, two of them critical heap overflows that can be exploited for remote command execution.
Avalanche is used by enterprise admins to remotely manage, deploy software, and schedule updates across large fleets of over 100,000 mobile devices from a single central location.
As the company explained on Wednesday, the two critical security flaws (CVE-2024-24996 and CVE-2024-29204) were found in Avalanche’s WLInfoRailService and WLAvalancheService components.
They are both caused by heap-based buffer overflow weaknesses, which can let unauthenticated remote attackers execute arbitrary commands on vulnerable systems in low-complexity attacks that don’t require user interaction.
Today, Ivanti also patched 25 medium and high-severity bugs that remote attackers could exploit to trigger denial-of-service attacks, execute arbitrary commands as SYSTEM, read sensitive information from memory, and remote code execution attacks.
“We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure. These vulnerabilities were disclosed through our responsible disclosure program,” the company said in a security advisory published on Tuesday.
“To address the security vulnerabilities listed below, it is highly recommended to download the Avalanche installer and update to the latest Avalanche 6.4.3.”
Customers can find the latest Avalanche 6.4.3 release here and more information regarding upgrade steps in this support article.
Ivanti patched 13 more critical-severity remote code execution vulnerabilities in the Avalanche MDM solution in December after fixing two other critical Avalanche buffer overflows collectively tracked as CVE-2023-32560 in August.
State-affiliated hackers used two zero-day flaws (CVE-2023-35078 and CVE-2023-35081) in Ivanti’s Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, to breach the networks of multiple Norwegian government organizations one year ago.
Months later, attackers chained a third MobileIron Core zero-day (CVE-2023-35081) with CVE-2023-35078 to also hack into the IT systems of a dozen Norwegian ministries.
“Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability,” CISA warned last August.
“Consequently, CISA and NCSC-NO are concerned about the potential for widespread exploitation in government and private sector networks.”
