Ivanti has released patches for seven critical- and high-severity vulnerabilities in Avalanche, its enterprise mobile device management (MDM) solution.
The most severe of the flaws is CVE-2023-32563 (CVSS score of 9.8), a directory traversal bug that can be exploited to execute arbitrary code remotely.
Reported by security researchers with Trend Micro’s ZDI, the issue exists in the ‘updateSkin’ method of the MDM solution and can be exploited without authentication.
“The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of System,” ZDI’s advisory reads.
The latest Avalanche iteration also resolves multiple stack-based buffer overflow bugs that are collectively tracked as CVE-2023-32560 (CVSS score of 8.8).
The vulnerability resides in Wavelink Avalanche Manager, which uses a fixed-size stack-based buffer when processing certain types of data, explained Tenable, whose researchers discovered the issue.
An unauthenticated, remote attacker can trigger the vulnerability by sending a crafted message to the service, which could lead to service disruption or code execution.
Two other high-severity remote code execution vulnerabilities were patched with the latest Avalanche release, both discovered and reported through ZDI.
The flaws, CVE-2023-32562 and CVE-2023-32564, are the result of a “lack of proper validation of user-supplied data”, allowing an attacker to upload arbitrary files and potentially execute code with System privileges.
All three remaining vulnerabilities – CVE-2023-32561, CVE-2023-32565, and CVE-2023-32566 – are described as authentication bypass flaws in various components of the MDM solution.
Ivanti patched all seven vulnerabilities in Avalanche version 126.96.36.199, which was released earlier this month. Both Tenable and ZDI, however, released details on these vulnerabilities only this week.
While there’s no mention of any of these issues being exploited in the wild, vulnerabilities in Ivanti products are known to have been targeted in malicious attacks.