Ivanti releases patches for 13 critical Avalanche RCE flaws

​Ivanti has released security updates to fix 13 critical security vulnerabilities in the company's Avalanche enterprise mobile device management (MDM) solution.

Avalanche allows admins to manage over 100,000 mobile devices from a single, central location over the Internet, deploy software, and schedule updates.

As Ivanti explained on Wednesday, these security flaws are due to WLAvalancheService stack or heap-based buffer overflow weaknesses reported by Tenable security researchers and Trend Micro's Zero Day Initiative.

Unauthenticated attackers can exploit them in low-complexity attacks that don't require user interaction to gain remote code execution on unpatched systems.

"An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution," Ivanti said in a security advisory.

"To address the security vulnerabilities [..], it is highly recommended to download the Avalanche installer and update to the latest Avalanche 6.4.2. These vulnerabilities impact all supported versions of the products – Avalanche versions 6.3.1 and above. Older versions/releases are also at risk."

CVE-ID	Product Affected / Vulnerability
CVE-2023-41727	Ivanti Avalanche v6.4.1 WLAvalancheService.exe Unauthenticated Buffer Overflows
CVE-2023-46216	Ivanti Avalanche v6.4.1 WLAvalancheService.exe Unauthenticated Buffer Overflows
CVE-2023-46217	Ivanti Avalanche v6.4.1 WLAvalancheService.exe Unauthenticated Buffer Overflows
CVE-2023-46220	Ivanti Avalanche WLAvalancheService Stack-based Buffer Overflow RCE Vulnerability
CVE-2023-46221	Ivanti Avalanche WLAvalancheService Stack-based Buffer Overflow RCE Vulnerability
CVE-2023-46222	Ivanti Avalanche WLAvalancheService Stack-based Buffer Overflow RCE Vulnerability
CVE-2023-46223	Ivanti Avalanche WLAvalancheService Stack-based Buffer Overflow RCE Vulnerability
CVE-2023-46224	Ivanti Avalanche WLAvalancheService Stack-based Buffer Overflow RCE Vulnerability
CVE-2023-46225	Ivanti Avalanche WLAvalancheService Stack-based Buffer Overflow RCE Vulnerability
CVE-2023-46257	Ivanti Avalanche WLAvalancheService Stack-based Buffer Overflow RCE Vulnerability
CVE-2023-46258	Ivanti Avalanche WLAvalancheService Stack-based Buffer Overflow RCE Vulnerability
CVE-2023-46259	Ivanti Avalanche WLAvalancheService Stack-based Buffer Overflow RCE Vulnerability
CVE-2023-46260	Ivanti Avalanche WLAvalancheService Null Pointer Dereference Denial-of-Service Vulnerability
CVE-2023-46261	Ivanti Avalanche WLInfoRailService Heap-based Buffer Overflow RCE Vulnerability

The company also patched eight medium- and high-severity bugs that attackers could exploit in denial of service, remote code execution, and server-side request forgery (SSRF) attacks.

All security vulnerabilities disclosed today were addressed in Avalanche v6.4.2.313. Additional information on upgrading your Avalanche installation is available in this Ivanti support article.

In August, Ivanti fixed two other critical Avalanche buffer overflows tracked collectively as CVE-2023-32560 that could lead to crashes and arbitrary code execution following successful exploitation.

Threat actors chained a third MobileIron Core zero-day (CVE-2023-35081) with CVE-2023-35078 to hack into the IT systems of a dozen Norwegian ministries one month earlier.

Four months earlier, in April, state-affiliated hackers used two other zero-day flaws (CVE-2023-35078 and CVE-2023-35081) in Ivanti's Endpoint Manager Mobile (EPMM), formerly MobileIron Core, to infiltrate the networks of multiple Norwegian government organizations.

"Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability," CISA warned at the time.

"Consequently, CISA and NCSC-NO are concerned about the potential for widespread exploitation in government and private sector networks."