Flash Notice: Thirteen Critical Vulnerabilities Found in Ivanti Avalanche

overview

Thirteen vulnerabilities were found in the Ivanti Avalanche enterprise mobile device management solution. Ivanti has recently issued security updates to address the critical vulnerabilities. For those unaware, Ivanti Avalanche is software that allows administrators to centrally manage over 100,000 mobile devices via the Internet, facilitating tasks such as software deployment and update scheduling. 

The security flaws stem from stack or heap-based buffer overflow weaknesses in the WLAvalancheService. These vulnerabilities could be exploited by unauthenticated attackers in low-complexity attacks, requiring no user interaction, to achieve remote code execution on unpatched systems.  

According to Ivanti's security advisory, attackers can trigger memory corruption by sending specially crafted data packets to the Mobile Device Server, leading to potential Denial of Service (DoS) or code execution. To mitigate these risks, Ivanti strongly recommends users to download the Avalanche installer and update to the latest version, specifically Avalanche 6.4.2. The vulnerabilities impact all supported versions, including Avalanche versions 6.3.1 and above, with older versions also being at risk. 

The memory corruption vulnerabilities (both critical and high severity) are as follows:   

• CVE-2023-41727 – CVSS 9.8   
• CVE-2023-46216 – CVSS 9.8  
• CVE-2023-46217 – CVSS 9.8 
• CVE-2023-46220 – CVSS 9.8 
• CVE-2023-46221 – CVSS 9.8 
• CVE-2023-46222 – CVSS 9.8 
• CVE-2023-46223 – CVSS 9.8 
• CVE-2023-46224 – CVSS 9.8 
• CVE-2023-46225 – CVSS 9.8 
• CVE-2023-46257 – CVSS 9.8 
• CVE-2023-46258 – CVSS 9.8 
• CVE-2023-46259 – CVSS 9.8 
• CVE-2023-46260 – CVSS 7.5 
• CVE-2023-46261 – CVSS 9.8 
• CVE-2023-46262 – CVSS 7.5 
• CVE-2023-46263 – CVSS 7.2 
• CVE-2021-22962 – CVSS 7.3 
• CVE-2023-46264 – CVSS 7.2 
• CVE-2023-46265 – CVSS 6.5 
• CVE-2023-46266 – CVSS 7.3 

The Ivanti Avalanche vulnerabilities are coming on the heels of the company previously addressing two critical Avalanche buffer overflows in August, identified as CVE-2023-32560. Threat actors also exploited a third MobileIron Core zero-day (CVE-2023-35081) along with CVE-2023-35078 to compromise the IT systems of several Norwegian ministries.  

avertium's recommendationS

• Once Ivanti learned of the vulnerabilities they mobilized resources to fix the issues. Updates are now available for all impacted versions of Ivanti Avalanche. See the links below for guidance. 
  • Release notes for Avalanche 6.4.2 
  • Avalanche 6.4.2 Security Hardening and CVE Advisory 

INDICATORS OF COMPROMISE (IoCs)

At this time, there are no known IoCs associated with the above vulnerabilities. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.   

How Avertium is Protecting Our CUSTOMERS

• Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. See every threat in your attack surface, every device, every entry point, and every vulnerability. Our Attack Surface Management services include:  
  • Risk Assessments 
  • Pen Testing and Social Engineering  
  • Infrastructure Architecture and Integration  
  • Zero Trust Network Architecture 
  • Vulnerability Management 
• We highly value your feedback. Kindly spare a moment to complete our feedback form, allowing us to enhance our services for our valued customers. 

SUPPORTING DOCUMENTATION