Ivanti is warning users of its Avalanche mobile device management (MDM) solution, formerly known as Wavelink Avalanche, to patch 27 vulnerabilities, two of which are critical.
The two critical vulnerabilities, designated CVE-2024-24996 and CVE-2024-29204, are heap-based buffer overflow flaws found in Avalanche's WLInfoRailService and WLAvalancheService components.
Successful exploitation could allow an unauthenticated threat actor to remotely execute arbitrary commands in low-complexity attacks that don’t require any user interaction.
The remaining 25 vulnerabilities, rated medium to high severity, could lead to denial-of-service attacks, the execution of arbitrary commands with ‘SYSTEM’ privileges, access to sensitive information, and remote code execution attacks.
So far, Ivanti is not aware of any exploitation of the vulnerabilities. However, it recommends that users update to version 6.4.3 of Avalanche as soon as possible.
Source: Bleeping Computer
Analysis
Enterprise admins use Avalanche to remotely deploy software, schedule updates, and otherwise manage large fleets of mobile devices from a single central location. MDM solutions such as this have a history of being targeted by state-sponsored cyber actors seeking access to individuals and networks of interest.
For example, in July 2023, it was reported that a state-affiliated threat actor leveraged two zero-day vulnerabilities in Ivanti’s Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, to breach the networks of multiple Norwegian government departments.
2024 has proven to be a rough year for Ivanti, with nation-state actors exploiting multiple Ivanti vulnerabilities as zero days to deploy various custom malware strains.
Additionally, Ivanti was the subject of the Cybersecurity and Infrastructure Security Agency’s (CISA) first emergency directive of 2024 that ordered federal agencies to secure Ivanti Connect Secure and Policy Secure systems against zero-day flaws targeted in widespread attacks.
Only two weeks later, citing the active exploitation of multiple critical zero-day vulnerabilities, lack of effective mitigations, and lack of security updates for some of the impacted product versions, CISA changed the directive to order agencies to disconnect all vulnerable Ivanti VPN appliances and replace them with fresh rebuilds.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in appliances like Ivanti Avalanche. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the exploitation of these vulnerabilities.
Field Effect users will be automatically notified via the Covalence Portal if the vulnerable Ivanti solutions are detected in their environment and are encouraged to follow the mitigative advice included in these AROs as quickly as possible.
Field Effect strongly encourages users of Ivanti Avalanche to update version 6.4.3 as soon as possible.
Keep in mind that some deployed Ivanti solutions still use names and run versions of firmware from before Ivanti acquired Pulse Secure, MobileIron, and Wavelink amongst others. Network defenders should look for previous naming conventions when verifying the presence of Ivanti solutions in their environment to ensure they don’t dismiss warnings inadvertently.
Related Articles
