This advisory is for organizations that use Ivanti Avalanche as part of their Mobile Device Management (MDM) solution. If your organization does not use this platform, this notification may be discarded.
Summary
Ivanti has released security updates to address multiple vulnerabilities in Avalanche including the below critical vulnerabilities which could allow an unauthenticated, remote attacker to perform heap buffer overflows on vulnerable platforms and execute arbitrary commands without requiring user interaction.
CVE-2024-24996 – A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to execute arbitrary commands.
CVSSv3: 9.8
CVE-2024-29204 - A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands
CVSSv3: 9.8
Affected Platforms
All versions of Avalanche prior to 6.4.3 are susceptible to this vulnerability.
Mitigations
Update to version 6.4.3: https://www.wavelink.com/download/site/login.aspx?ReturnURL=%2fDownload-Avalanche_Mobile-Device-Management-Software%2f%3ffile%3d27687
Additional Resources
https://forums.ivanti.com/s/article/Avalanche-6-4-3-Security-Hardening-and-CVEs-addressed?language=en_US
https://www.bleepingcomputer.com/news/security/ivanti-warns-of-critical-flaws-in-its-avalanche-mdm-solution/
