Ivanti has issued patches for several critical- and high-severity vulnerabilities in its Avalanche enterprise mobile device management platform, including one that could enable unauthenticated, remote attackers to execute code.
While Ivanti released fixes for the seven flaws in version 220.127.116.11 of Avalanche earlier this month, the security advisories detailing these vulnerabilities were released this week. One of the more serious flaws (CVE-2023-32563) exists in the UpdateSkin method of Avalanche, which does not properly validate user-supplied paths for file operations. This flaw can be leveraged by attackers to execute code in the context of SYSTEM, according to the Zero Day Initiative this week.
“This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche,” according to an advisory from the Zero Day Initiative on Tuesday. “Authentication is not required to exploit this vulnerability.”
Another issue, reported by a Tenable researcher, stemmed from stack-based buffer overflow flaws (tracked as CVE-2023-32560) in WLAvanacheServer.exe, impacting version 18.104.22.168 of Avalanche. According to NIST’s National Vulnerability Database, an attacker that sends a specially crafted message to the Wavelink Avalanche Manager can cause service disruption or execute code.
“When processing an item of data type 3, WLAvalancheService.exe uses a fixed-size stack-based buffer to store converted binary data from a hex string,” according to a Tenable advisory detailing one of the multiple stack-based buffer overflows. “An unauthenticated remote attacker can specify a long hex string to overflow the buffer.”
Other vulnerabilities include several authentication bypass flaws and remote code execution flaws (though these ones require authentication for successful exploitation and are therefore ranked lower on the CVSS 3.0 scale).
Avalanche is specifically designed for enterprises and, according to Ivanti, is being used by 30,000 organizations. When asked about any exploitation in the wild, an Ivanti spokesperson said: “We are not aware of any impacted customers. It was reported as a responsible disclosure.”
Ivanti in July scrambled to release fixes for a number of actively-exploited vulnerabilities in another one of its products that helps businesses manage and secure their employees’ devices, called Ivanti Endpoint Manager Mobile (or EPMM, formerly known as MobileIron Core). This included a vulnerability (CVE-2023-35078) being exploited to target a software platform utilized by 12 Norwegian government agencies.