Ivanti has released 22 patches to fix vulnerabilities in the Avalanche mobile device management solution, 13 of which are rated critical. Ivanti Avalanche is an enterprise MDM solution that can be used to manage more than 100,000 mobile devices, including tablets and warehouse scanners to keep them secured, available, and accessible. This week, Ivanti released Avalanche version 6.4.2 which addresses 22 flaws and hardens security. The vulnerabilities have been confirmed as affecting all versions back to 6.3.1, but while not confirmed, it is likely that they also affect all 6.X versions.
13 of the flaws have been assigned a CVSS v3.1 severity score of 9.8 out of 10 and could be exploited by an attacker by sending specially crafted data packets to the Mobile Device Server, which could cause memory corruption resulting in a Denial of Service (DoS) or code execution. The critical flaws are a combination of unauthenticated buffer overflow and stack-based buffer overflow RCE vulnerabilities. 8 vulnerabilities are rated high-severity and are a combination of authentication bypass, file upload RCE, information disclosure, server-side forgery, and denial of service vulnerabilities. One of the 22 vulnerabilities, an information disclosure issue, is rated medium severity.
It is important to update to the latest version as soon as possible as MDM solutions are attractive targets for cybercriminals as a vulnerability in an MDM solution can be exploited to attack all devices managed by the solution; however, at the time of release, none of the flaws are believed to have been exploited in the wild.
Ivanti is urging all users to update download the Avalanche installer and update to the latest Avalanche 6.4.2 immediately. Ivanti has reminded users that they should have their MSSQL database password available as Ivanti does not store the password for subsequent installs.
Earlier this year, Ivanti issued patches to fix two actively exploited vulnerabilities in its Endpoint Manager Mobile (EPMM) solution (formerly MobileIron Core). The vulnerabilities are thought to have been exploited in state-sponsored attacks.