Researchers detected numerous security vulnerabilities in Ivanti Avalanche EMM, allowing remote code execution attacks from unauthenticated adversaries. Ivanti patched the flaws following the bug report; hence, users must update their systems with the latest releases to receive the patches.
Ivanti Avalanche EMM Vulnerabilities
According to a recent report from Tenable, their researchers found two different vulnerabilities affecting Ivanti Avalanche.
Ivanti Avalanche is a dedicated Enterprise Mobile Device Management (EMM) solution, offering its customers to manage wireless settings across the network.
Specifically, the researchers observed two critical-severity buffer overflow vulnerabilities affecting the WLAvalancheService.exe (version 6.4.0.0 and older). The service used a “fixed-size stack-based buffer to store converted binary data from a hex string.” Hence, the first vulnerability would allow an unauthenticated, remote adversary to specify a long hex string that could trigger a buffer overflow.
Then, the next vulnerability appeared during data type 9 item processing, when the service used a fixed-size stack-based buffer to store and convert user-supplied data to an integer using atoll(). A remote adversary could trigger buffer overflow via a long type 9 item, without authentication.
Both issues received a CVE ID CVE-2023-32560 and a CVSS score of 9.8. In their post, the researchers shared the vulnerable scripts, demonstrating the exploits.
Ivanti Patched The Flaws
Tenable researchers discovered and reported the vulnerabilities in early April 2023. Almost after a week, Ivanti confirmed receiving the report and started working on a fix upon receiving the PoC script.
While Tenable set the initial disclosure period as the standard 90 days, Ivanti explained that it would take longer to deploy a patch. Consequently, both parties agreed upon extending the disclosure window, and Ivanti confirmed August 2023 as the patch release month.
Finally, the vendors released the fix with Avalanche 6.4.1, following which, Tenable disclosed the initial advisory.
Recently, Ivanti made it to the news following back-to-back zero-day fiascos in its EPMM that went under attack.
Let us know your thoughts in the comments.
