Ivanti has launched safety updates to repair 27 vulnerabilities in its Avalanche cell machine administration (MDM) resolution, two of them important heap overflows that may be exploited for distant command execution.
Avalanche is utilized by enterprise admins to remotely handle, deploy software program, and schedule updates throughout massive fleets of over 100,000 cell units from a single central location.
As the corporate defined on Wednesday, the 2 important safety flaws (CVE-2024-24996 and CVE-2024-29204) have been present in Avalanche’s WLInfoRailService and WLAvalancheService parts.
They’re each attributable to heap-based buffer overflow weaknesses, which may let unauthenticated distant attackers execute arbitrary instructions on susceptible techniques in low-complexity assaults that do not require consumer interplay.
At this time, Ivanti additionally patched 25 medium and high-severity bugs that distant attackers might exploit to set off denial-of-service assaults, execute arbitrary instructions as SYSTEM, learn delicate data from reminiscence, and distant code execution assaults.
“We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure. These vulnerabilities were disclosed through our responsible disclosure program,” the corporate stated in a safety advisory revealed on Tuesday.
“To address the security vulnerabilities listed below, it is highly recommended to download the Avalanche installer and update to the latest Avalanche 6.4.3.”
Prospects can discover the most recent Avalanche 6.4.3 launch right here and extra data relating to improve steps in this assist article.
Ivanti patched 13 extra critical-severity distant code execution vulnerabilities within the Avalanche MDM resolution in December after fixing two different important Avalanche buffer overflows collectively tracked as CVE-2023-32560 in August.
State-affiliated hackers used two zero-day flaws (CVE-2023-35078 and CVE-2023-35081) in Ivanti’s Endpoint Supervisor Cell (EPMM), previously generally known as MobileIron Core, to breach the networks of a number of Norwegian authorities organizations one 12 months in the past.
Months later, attackers chained a 3rd MobileIron Core zero-day (CVE-2023-35081) with CVE-2023-35078 to additionally hack into the IT techniques of a dozen Norwegian ministries.
“Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability,” CISA warned final August.
“Consequently, CISA and NCSC-NO are concerned about the potential for widespread exploitation in government and private sector networks.”
