Pierluigi Paganini April 17, 2024

Ivanti addressed two critical vulnerabilities in its Avalanche mobile device management (MDM) solution, that can lead to remote command execution.

Ivanti addressed multiple flaws in its Avalanche mobile device management (MDM) solution, including two critical flaws, tracked as CVE-2024-24996 and CVE-2024-29204, that can lead to remote command execution.

The MDM software allows administrators to configure, deploy, update, and maintain up to 100,000 mobile IT assets all in one system.

Below is the description for the two vulnerabilities:

• CVE-2024-24996 (CVSS score 9.8) – A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to execute arbitrary commands. 
• CVE-2024-29204 (CVSS score 9.8) – A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands

A remote attacker can exploit both issues to execute code without user interaction.

Ivanti also addressed tens of medium and high-severity vulnerabilities that could be exploited to trigger denial-of-service conditions, execute arbitrary commands, carry out remote code execution attacks and read sensitive information from memory.

The software company is not aware of attacks in the wild exploiting one of these vulnerabilities at the time of disclosure. 

The company addressed the vulnerability with the release of Avalanche 6.4.3.

“To address the security vulnerabilities listed below, it is highly recommended to download the Avalanche installer and update to the latest Avalanche 6.4.3. The installation will apply a fix for each CVE listed in the table below. These vulnerabilities affect any older versions of Avalanche. You can download the latest Avalanche 6.4.3 release here.” reads the advisory.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Avalanche mobile device management)