Vulnerabilities

Ivanti Patches Critical Vulnerability in Avalanche Enterprise MDM Solution

Ivanti has patched critical- and high-severity vulnerabilities with the latest release of Avalanche, its enterprise mobile device management solution.

Ionut Arghire

Published

August 16, 2023

Ivanti zero-day

Ivanti has released patches for seven critical- and high-severity vulnerabilities in Avalanche, its enterprise mobile device management (MDM) solution.

The most severe of the flaws is CVE-2023-32563 (CVSS score of 9.8), a directory traversal bug that can be exploited to execute arbitrary code remotely.

Reported by security researchers with Trend Micro’s ZDI, the issue exists in the ‘updateSkin’ method of the MDM solution and can be exploited without authentication.

“The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of System,” ZDI’s advisory reads.

The latest Avalanche iteration also resolves multiple stack-based buffer overflow bugs that are collectively tracked as CVE-2023-32560 (CVSS score of 8.8).

The vulnerability resides in Wavelink Avalanche Manager, which uses a fixed-size stack-based buffer when processing certain types of data, explained Tenable, whose researchers discovered the issue.

An unauthenticated, remote attacker can trigger the vulnerability by sending a crafted message to the service, which could lead to service disruption or code execution.

Two other high-severity remote code execution vulnerabilities were patched with the latest Avalanche release, both discovered and reported through ZDI.

Advertisement. Scroll to continue reading.

The flaws, CVE-2023-32562 and CVE-2023-32564, are the result of a “lack of proper validation of user-supplied data”, allowing an attacker to upload arbitrary files and potentially execute code with System privileges.

All three remaining vulnerabilities – CVE-2023-32561, CVE-2023-32565, and CVE-2023-32566 – are described as authentication bypass flaws in various components of the MDM solution.

Ivanti patched all seven vulnerabilities in Avalanche version 6.4.1.207, which was released earlier this month. Both Tenable and ZDI, however, released details on these vulnerabilities only this week.

While there’s no mention of any of these issues being exploited in the wild, vulnerabilities in Ivanti products are known to have been targeted in malicious attacks.

In this article:Ivanti

Nation-State

MITRE Hack: China-Linked Group Breached Systems in December 2023

MITRE has shared more details on the recent hack, including the new malware involved in the attack and a timeline of the attacker’s activities.

Eduard KovacsMay 7, 2024

Vulnerabilities

Ivanti Patches 27 Vulnerabilities in Avalanche MDM Product

Ivanti releases patches for 27 vulnerabilities in the Avalanche MDM product, including critical flaws leading to command execution.

Ionut ArghireApril 17, 2024

Network Security

Thousands of Ivanti VPN Appliances Impacted by Recent Vulnerability

Researchers at the Shadowserver Foundation identify thousands of internet-exposed Ivanti VPN appliances likely impacted by a recently disclosed vulnerability leading to remote code execution.

Ionut ArghireApril 8, 2024

Government

Ivanti CEO Vows Cybersecurity Makeover After Zero-Day Blitz

Ivanti releases a carefully scripted YouTube video and an open letter from chief executive Jeff Abbott vowing to fix the entire security organization.

Ryan NaraineApril 4, 2024