Ivanti patches 13 critical RCE vulnerabilities in Avalanche MDM
Take action: Hackers have already exploited Ivanti products this year, and there were several other issues with Avalanche. Since Ivanti products are used by enterprise and government, they are a great entry point to high value targets. Start planning your patch ASAP.
Learn More
Ivanti has released a security updates to mitigate 13 critical vulnerabilities found in their Avalanche enterprise mobile device management (MDM) solution. Ivanti is a software company that specializes in IT asset and service management solutions, offering a range of products designed to unify and secure IT operations, like IT asset management, service management, endpoint security, unified endpoint management, enterprise service management, and identity management.
Their Avalanche MDM solution is widely used for managing significant number of mobile devices across organizations, offering functionalities like software deployment and update scheduling. The vulnerabilities, primarily caused by buffer overflow weaknesses in the WLAvalancheService, were identified and reported by security researchers from Tenable and Trend Micro's Zero Day Initiative.
The vulnerabilities impact all supported versions of Avalanche, starting from version 6.3.1.
The exploitation of these vulnerabilities could result in remote code execution on systems that have not been updated with the latest security patches. For instance, attackers can send specially crafted data packets to the Mobile Device Server in Avalanche, leading to memory corruption, resulting in potential denial of service or even code execution.
Full list of vulnerabilities and severity:
| CVE-ID | CVSS score | Product Affected / Vulnerability |
| CVE-2023-41727 | 9.8 | Avalanche v6.4.1 WLAvalancheService Unauthenticated Buffer Overflow |
| CVE-2023-46216 | 9.8 | Avalanche v6.4.1 WLAvalancheService Unauthenticated Buffer Overflow |
| CVE-2023-46217 | 9.8 | Avalanche v6.4.1 WLAvalancheService Unauthenticated Buffer Overflow |
| CVE-2023-46220 | 9.8 | WLAvalancheService Stack-based Buffer Overflow Remote code execution |
| CVE-2023-46221 | 9.8 | WLAvalancheService Stack-based Buffer Overflow Remote code execution |
| CVE-2023-46222 | 9.8 | WLAvalancheService Stack-based Buffer Overflow Remote code execution |
| CVE-2023-46223 | 9.8 | WLAvalancheService Stack-based Buffer Overflow Remote code execution |
| CVE-2023-46224 | 9.8 | WLAvalancheService Stack-based Buffer Overflow Remote code execution |
| CVE-2023-46225 | 9.8 | WLAvalancheService Stack-based Buffer Overflow Remote code execution |
| CVE-2023-46257 | 9.8 | WLAvalancheService Stack-based Buffer Overflow Remote code execution |
| CVE-2023-46258 | 9.8 | WLAvalancheService Stack-based Buffer Overflow Remote code execution |
| CVE-2023-46259 | 9.8 | WLAvalancheService Stack-based Buffer Overflow Remote code execution |
| CVE-2023-46260 | 7.5 | WLAvalancheService Null Pointer Dereference Denial of Service |
| CVE-2023-46261 | 9.8 | WLInfoRailService Heap-based Buffer Overflow Remote code execution |
In response to these findings, Ivanti has strongly recommended users to update to the latest version of Avalanche, specifically v6.4.2, to secure their systems against these vulnerabilities.
The company also addressed eight additional vulnerabilities of medium and high severity in the same update, which could potentially be exploited for denial of service, remote code execution, and server-side request forgery attacks.
Previously, in August, Ivanti had fixed two critical buffer overflow vulnerabilities in Avalanche, identified as CVE-2023-32560, which were capable of causing crashes and allowing arbitrary code execution upon successful exploitation. Threat actors had exploited a third zero-day vulnerability in MobileIron Core (CVE-2023-35081) along with CVE-2023-35078 to attack the IT systems of numerous Norwegian ministries. Similarly, state-affiliated hackers had leveraged two other zero-day flaws in Ivanti's Endpoint Manager Mobile (formerly MobileIron Core) in April to infiltrate networks of several Norwegian government organizations.
