Vulnerabilities

CVE-2024-24996, CVE-2024-29204 Ivanti Avalanche Buffer Overflow Vulnerabilities

Written by Critical Insight | May 1, 2024 3:01:17 PM

This advisory is for organizations that use Ivanti Avalanche as part of their Mobile Device Management (MDM) solution.  If your organization does not use this platform, this notification may be discarded. 

 

Summary

Ivanti has released security updates to address multiple vulnerabilities in Avalanche including the below critical vulnerabilities which could allow an unauthenticated, remote attacker to perform heap buffer overflows on vulnerable platforms and execute arbitrary commands without requiring user interaction.

 

CVE-2024-24996 – A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to execute arbitrary commands. 

                CVSSv3: 9.8

CVE-2024-29204 - A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands 

               CVSSv3: 9.8

 

Affected Platforms

All versions of Avalanche prior to 6.4.3 are susceptible to this vulnerability.

 

Mitigations

Update to version 6.4.3: https://www.wavelink.com/download/site/login.aspx?ReturnURL=%2fDownload-Avalanche_Mobile-Device-Management-Software%2f%3ffile%3d27687

 

Additional Resources

https://forums.ivanti.com/s/article/Avalanche-6-4-3-Security-Hardening-and-CVEs-addressed?language=en_US

https://www.bleepingcomputer.com/news/security/ivanti-warns-of-critical-flaws-in-its-avalanche-mdm-solution/