Security News > 2024 > April > Ivanti patches critical Avalanche flaw exploitable via a simple message (CVE-2024-29204)

The newest version of Ivanti Avalanche - the company's enterprise mobile device management solution - carries fixes for 27 vulnerabilities, two of which are critical and may allow a remote unauthenticated attacker to execute arbitrary commands on the underlying Windows system.

Both critical vulnerabilities are heap overflow bugs: CVE-2024-29204 is in the WLAvalancheService, and CVE-2024-24996 in the WLInfoRailService component of Ivanti Avalanche before v6.4.3, and may allow unauthenticated remote attackers to execute arbitrary commands on vulnerable systems.

Tenable Security, which disclosed CVE-2024-29204 and a proof-of-concept exploit for it to Ivanti, has published additional details about the flaw and how it can be exploited by sending messages to Avalanche's WLAvalancheService.

Ivanti Avalanche v6.4.3 contains fixes for 25 other vulnerabilities affecting those same two components and a web component of the solution.

"These vulnerabilities affect any older versions of Avalanche," Ivanti said.

With vulnerabilities in its enterprise mobile management, VPN, and network access control solutions having been exploited by attackers left and right, Ivanti has had a difficult few months.

News URL

https://www.helpnetsecurity.com/2024/04/18/cve-2024-29204/