Security News > 2024 > April > Ivanti patches critical Avalanche flaw exploitable via a simple message (CVE-2024-29204)
The newest version of Ivanti Avalanche - the company's enterprise mobile device management solution - carries fixes for 27 vulnerabilities, two of which are critical and may allow a remote unauthenticated attacker to execute arbitrary commands on the underlying Windows system.
Both critical vulnerabilities are heap overflow bugs: CVE-2024-29204 is in the WLAvalancheService, and CVE-2024-24996 in the WLInfoRailService component of Ivanti Avalanche before v6.4.3, and may allow unauthenticated remote attackers to execute arbitrary commands on vulnerable systems.
Tenable Security, which disclosed CVE-2024-29204 and a proof-of-concept exploit for it to Ivanti, has published additional details about the flaw and how it can be exploited by sending messages to Avalanche's WLAvalancheService.
Ivanti Avalanche v6.4.3 contains fixes for 25 other vulnerabilities affecting those same two components and a web component of the solution.
"These vulnerabilities affect any older versions of Avalanche," Ivanti said.
With vulnerabilities in its enterprise mobile management, VPN, and network access control solutions having been exploited by attackers left and right, Ivanti has had a difficult few months.
News URL
https://www.helpnetsecurity.com/2024/04/18/cve-2024-29204/
Related news
- Critical vulnerability in Cisco industrial wireless access points fixed (CVE-2024-20418) (source)
- Critical Palo Alto Networks Expedition bug exploited (CVE-2024-5910) (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
- Ivanti Issues Critical Security Updates for CSA and Connect Secure Vulnerabilities (source)
- Three more vulns spotted in Ivanti CSA, all critical, one 10/10 (source)
- BeyondTrust fixes critical vulnerability in remote access, support solutions (CVE-2024-12356) (source)