Ivanti Patches Two Critical Avalanche Flaws in Major Update

Written by

Ivanti has released a new product update for its flagship Avalanche mobile device management (MDM) product designed to fix 27 vulnerabilities, including two critical bugs.

The security vendor said it was not aware of any of the vulnerabilities currently being actively exploited in the wild. However, the two critical flaws could lead to remote code execution (RCE).

CVE-2024-24996 is described as a heap overflow in the WLInfoRailService component of the product, while CVE-2024-29204 is a heap overflow bug in the WLAvalancheService component. Both could allow a remote unauthenticated attacker to execute arbitrary commands, which is why they have been given a CVSS score of 9.8.

Avalanche is designed to offer IT administrators in large organizations the ability to centrally manage large deployments of potentially 100,000+ devices. As such, it would be an attractive target for attackers – although Ivanti claimed the vulnerabilities recently listed are not under active exploitation.

The remaining 25 CVEs fixed in this update are mainly path traversal and out-of-bounds read flaws with CVSS scores ranging from 5.3 to 8.8.

“Avalanche 6.4.3 has addressed some new security hardening and vulnerabilities in our Q1 2024 release. We are not aware of any exploitation of these vulnerabilities at the time of disclosure,” the advisory noted.

“To address the security vulnerabilities listed below, it is highly recommended to download the Avalanche installer and update to the latest Avalanche 6.4.3.”

Ivanti patched another 13 critical vulnerabilities in Avalanche back in December 2023.

The vendor’s products have proven to be a happy hunting ground for likely state-sponsored threat actors over the past year.

Two zero-day vulnerabilities in Ivanti Endpoint Manager (EPMM), formerly known as MobileIron Core, were exploited by Chinese threat actors in January 2023 to compromise 12 Norwegian government ministries.

Read more on Ivanti patches: Ivanti Patches Zero-Day Bug Used in Norway Attacks

Then around a year later it revealed three more zero-days were being chained in Chinese attacks designed to compromise its Connect Secure VPN product and Policy Secure network access control (NAC) offerings.

Some insurers have claimed they now require prospective policyholders to put in place specific mitigations if running certain Ivanti products.

What’s hot on Infosecurity Magazine?