Security vendor Ivanti has released an update to its Avalanche mobile device management (MDM) product which fixes 22 vulnerabilities, 13 of which are rated critical.
Ivanti Avalanche is described by the vendor as an enterprise MDM solution capable of managing distributed deployments of more than 100,000 mobile devices – including anything from warehouse scanners to handheld tablets.
However, its Avalanche 6.4.2 release published this week includes fixes for 13 flaws rated with a CVSS score of 9.8. They are a mix of stack-based buffer overflow remote code execution (RCE) vulnerabilities, heap-based buffer overflow RCE and unauthenticated buffer overflows.
“An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result … [in] code execution,” Ivanti warned in an advisory.
“To address the security vulnerabilities listed …, it is highly recommended to download the Avalanche installer and update to the latest Avalanche 6.4.2. The installation will apply a fix for each CVE listed …. These vulnerabilities affect any older versions of Avalanche (confirmed back to 6.3.1 but likely any 6.X versions are affected).”
There’s no suggestion the vulnerabilities are currently being exploited in active attacks, but Ivanti MDM products have in the past been targeted by threat actors.
Over the summer, the vendor was forced to patch multiple zero-day vulnerabilities in its Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. CVE-2023-35078 and CVE-2023-35081 were exploited in a likely state-sponsored attacks against several Norwegian government ministries.
“Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability,” the US Cybersecurity and Infrastructure Security Agency (CISA) wrote in an advisory at the time.
Alongside the 13 critical-rated vulnerabilities, Ivanti fixed a further nine high and medium severity bugs with its Avalanche 6.4.2 release.