Ivanti patches critical Avalanche flaw exploitable via a simple message (CVE-2024-29204)
The newest version of Ivanti Avalanche – the company’s enterprise mobile device management (MDM) solution – carries fixes for 27 vulnerabilities, two of which (CVE-2024-29204, CVE-2024-24996) are critical and may allow a remote unauthenticated attacker to execute arbitrary commands on the underlying Windows system.
“We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure,” the company said on Wednesday.
CVE-2024-29204 and CVE-2024-24996
Both critical vulnerabilities are heap overflow bugs: CVE-2024-29204 is in the WLAvalancheService, and CVE-2024-24996 in the WLInfoRailService component of Ivanti Avalanche before v6.4.3, and may allow unauthenticated remote attackers to execute arbitrary commands on vulnerable systems.
The vulnerabilities can be triggered without any user interaction, and no pre-conditions have to be met for successful exploitation.
Tenable Security, which disclosed CVE-2024-29204 and a proof-of-concept (PoC) exploit for it to Ivanti, has published additional details about the flaw and how it can be exploited by sending messages to Avalanche’s WLAvalancheService.exe on TCP port 1777.
Ivanti Avalanche v6.4.3 contains fixes for 25 other vulnerabilities affecting those same two components and a web component of the solution. They may allow command execution, information disclosure (from the system’s memory), or trigger a denial-of-service condition.
“These vulnerabilities affect any older versions of Avalanche,” Ivanti said.
Ivanti enterprise solutions under attack
With vulnerabilities in its enterprise mobile management, VPN, and network access control solutions having been exploited by attackers left and right, Ivanti has had a difficult few months.
The onslaught has spurred the company to announce that it will be increasing efforts to improve the security of its products, support for its customers, and information sharing with the community.