Security News > 2024 > April > Ivanti warns of critical flaws in its Avalanche MDM solution

Ivanti warns of critical flaws in its Avalanche MDM solution
2024-04-16 19:52

Ivanti has released security updates to fix 27 vulnerabilities in its Avalanche mobile device management solution, two of them critical heap overflows that can be exploited for remote command execution.

Avalanche is used by enterprise admins to remotely manage, deploy software, and schedule updates across large fleets of over 100,000 mobile devices from a single central location.

As the company explained on Wednesday, the two critical security flaws were found in Avalanche's WLInfoRailService and WLAvalancheService components.

"To address the security vulnerabilities listed below, it is highly recommended to download the Avalanche installer and update to the latest Avalanche 6.4.3.".

Customers can find the latest Avalanche 6.4.3 release here and more information regarding upgrade steps in this support article.

Ivanti patched 13 more critical-severity remote code execution vulnerabilities in the Avalanche MDM solution in December after fixing two other critical Avalanche buffer overflows collectively tracked as CVE-2023-32560 in August.


News URL

https://www.bleepingcomputer.com/news/security/ivanti-warns-of-critical-flaws-in-its-avalanche-mdm-solution/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-08-10 CVE-2023-32560 Out-of-bounds Write vulnerability in Ivanti Avalanche
An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code execution. Thanks to a Researcher at Tenable for finding and reporting. Fixed in version 6.4.1.
network
low complexity
ivanti CWE-787
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Ivanti 26 9 64 115 60 248