Analysis Summary

For its Avalanche mobile device management (MDM) solution, Ivanti has published security upgrades that address 27 vulnerabilities, including two significant heap overflows that may be used to execute commands remotely.

Enterprise administrators use Avalanche to remotely administer, distribute software, and plan upgrades for huge fleets of more than 100,000 mobile devices from a single, central location. The two serious security vulnerabilities (CVE-2024-24996 and CVE-2024-29204) were discovered in Avalanche's WLInfoRailService and WLAvalancheService components.

Both of these are caused by heap-based buffer overflow vulnerabilities, which allow for low-complexity, user-interruptible low-authentication remote attackers to run arbitrary commands on susceptible systems. In addition, Ivanti fixed 25 medium and high-severity issues recently that may be used by remote attackers to launch denial-of-service attacks, run arbitrary commands as SYSTEM, access private data from memory, and launch remote code execution attacks.

Before their public release, the company was not aware of any clients who were taken advantage of by these vulnerabilities. It is strongly advised to download the Avalanche installer and update to the most recent version Avalanche 6.4.3 to fix the security issues.

After patching two more major Avalanche buffer overflows in August that were collectively tagged as CVE-2023-32560, Ivanti fixed 13 more critical severity remote code execution vulnerabilities in the Avalanche MDM solution in December. A year ago, several Norwegian government agencies' networks were compromised by state-affiliated hackers using two zero-day vulnerabilities (CVE-2023-35078 and CVE-2023-35081) in Ivanti's Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. A few months later, hackers exploited a third MobileIron Core zero-day (CVE-2023-35081) in conjunction with CVE-2023-35078 to breach the IT infrastructure of twelve ministries in Norway.

Because they offer threat actors elevated access to thousands of mobile devices and because APT actors have previously taken advantage of a MobileIron vulnerability, mobile device management (MDM) platforms are appealing targets. Thus, the possibility of broad exploitation in networks of the public and private sectors worries CISA and NCSC-NO.