APT28 FancyBear Group – Active IOCs
April 18, 2024Multiple Cisco Products Vulnerabilities
April 18, 2024APT28 FancyBear Group – Active IOCs
April 18, 2024Multiple Cisco Products Vulnerabilities
April 18, 2024Severity
High
Analysis Summary
For its Avalanche mobile device management (MDM) solution, Ivanti has published security upgrades that address 27 vulnerabilities, including two significant heap overflows that may be used to execute commands remotely.
Enterprise administrators use Avalanche to remotely administer, distribute software, and plan upgrades for huge fleets of more than 100,000 mobile devices from a single, central location. The two serious security vulnerabilities (CVE-2024-24996 and CVE-2024-29204) were discovered in Avalanche's WLInfoRailService and WLAvalancheService components.
Both of these are caused by heap-based buffer overflow vulnerabilities, which allow for low-complexity, user-interruptible low-authentication remote attackers to run arbitrary commands on susceptible systems. In addition, Ivanti fixed 25 medium and high-severity issues recently that may be used by remote attackers to launch denial-of-service attacks, run arbitrary commands as SYSTEM, access private data from memory, and launch remote code execution attacks.
Before their public release, the company was not aware of any clients who were taken advantage of by these vulnerabilities. It is strongly advised to download the Avalanche installer and update to the most recent version Avalanche 6.4.3 to fix the security issues.
After patching two more major Avalanche buffer overflows in August that were collectively tagged as CVE-2023-32560, Ivanti fixed 13 more critical severity remote code execution vulnerabilities in the Avalanche MDM solution in December. A year ago, several Norwegian government agencies' networks were compromised by state-affiliated hackers using two zero-day vulnerabilities (CVE-2023-35078 and CVE-2023-35081) in Ivanti's Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. A few months later, hackers exploited a third MobileIron Core zero-day (CVE-2023-35081) in conjunction with CVE-2023-35078 to breach the IT infrastructure of twelve ministries in Norway.
Because they offer threat actors elevated access to thousands of mobile devices and because APT actors have previously taken advantage of a MobileIron vulnerability, mobile device management (MDM) platforms are appealing targets. Thus, the possibility of broad exploitation in networks of the public and private sectors worries CISA and NCSC-NO.
Impact
- Denial of Service
- Code Execution
- Buffer Overflow
- Exposure of Sensitive Data
Indicators of Compromise
CVE
- CVE-2024-24996
- CVE-2024-29204
Affected Vendors
Remediation
- Refer to the Ivanti Knowledge Base Article for patch, upgrade, or suggested workaround information.
- Implement multi-factor authentication to add an extra layer of security to login processes.
- Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
- Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
- Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
- Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
- Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
- Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
- Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
- Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.