Ivanti warns of critical flaws in its Avalanche MDM remedy
Ivanti has launched safety updates to deal with 27 vulnerabilities in its Avalanche mobile machine management (MDM) resolution, two of them crucial heap overflows that can be exploited for remote command execution.
Avalanche is employed by business admins to remotely deal with, deploy software package, and agenda updates throughout substantial fleets of above 100,000 cell gadgets from a single central site.
As the organization spelled out on Wednesday, the two significant safety flaws (CVE-2024-24996 and CVE-2024-29204) were identified in Avalanche’s WLInfoRailService and WLAvalancheService factors.
They are both of those induced by heap-based mostly buffer overflow weaknesses, which can let unauthenticated remote attackers execute arbitrary instructions on vulnerable techniques in minimal-complexity assaults that never involve person conversation.
Now, Ivanti also patched 25 medium and significant-severity bugs that distant attackers could exploit to trigger denial-of-assistance attacks, execute arbitrary commands as Method, read delicate facts from memory, and remote code execution assaults.
“We are not informed of any clients getting exploited by these vulnerabilities prior to general public disclosure. These vulnerabilities were being disclosed by means of our responsible disclosure plan,” the organization claimed in a stability advisory printed on Tuesday.
“To address the safety vulnerabilities mentioned underneath, it is really encouraged to download the Avalanche installer and update to the most recent Avalanche 6.4.3.”
Shoppers can locate the newest Avalanche 6.4.3 release below and much more details with regards to up grade techniques in this aid post.
Ivanti patched 13 much more essential-severity remote code execution vulnerabilities in the Avalanche MDM answer in December following correcting two other important Avalanche buffer overflows collectively tracked as CVE-2023-32560 in August.
Point out-affiliated hackers utilized two zero-working day flaws (CVE-2023-35078 and CVE-2023-35081) in Ivanti’s Endpoint Manager Cellular (EPMM), formerly recognized as MobileIron Core, to breach the networks of various Norwegian government corporations a person calendar year back.
Months later, attackers chained a third MobileIron Main zero-working day (CVE-2023-35081) with CVE-2023-35078 to also hack into the IT systems of a dozen Norwegian ministries.
“Cellular gadget management (MDM) methods are interesting targets for menace actors simply because they provide elevated entry to 1000’s of cell equipment, and APT actors have exploited a earlier MobileIron vulnerability,” CISA warned past August.
“Therefore, CISA and NCSC-NO are worried about the potential for common exploitation in federal government and non-public sector networks.”