Security vendor Ivanti has released an update to its Avalanche mobile device management (MDM) product that fixes 22 vulnerabilities, 13 of which are rated critical.
Ivanti Avalanche is described by the vendor as an enterprise MDM solution capable of managing distributed deployments of more than 100,000 mobile devices, from warehouse scanners to handheld tablets.
However, its Avalanche 6.4.2 version released this week includes fixes for 13 flaws noted with a CVSS score of 9.8. This is a mix of stack-based buffer overflow, RCE heap-based buffer overflow, and unauthenticated buffer overflow vulnerabilities.
“An attacker sending specially crafted data packets to the mobile device server may cause memory corruption, which could lead to… code execution,” Ivanti warned in an advisory.
“To address the listed security vulnerabilities…, it is strongly recommended to download the Avalanche installer and update to the latest Avalanche 6.4.2. The installation will apply a patch for each CVE listed…. These vulnerabilities affect all older versions of Avalanche (confirmed up to version 6.3.1, but all versions 6.X are likely affected).
There is no indication that the vulnerabilities are currently being exploited in active attacks, but Ivanti MDM products have been targeted by malicious actors in the past.
Over the summer, the vendor was forced to patch several zero-day vulnerabilities in its Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. CVE-2023-35078 and CVE-2023-35081 were exploited in likely state-sponsored attacks against several Norwegian government ministries.
“Mobile device management (MDM) systems are attractive targets for bad actors because they provide high access to thousands of mobile devices, and APT actors exploited a previous vulnerability in MobileIron,” said l US Cybersecurity and Infrastructure Security Agency (CISA). wrote in a review at the time.
In addition to the 13 vulnerabilities deemed critical, Ivanti fixed nine other high and medium severity bugs with its Avalanche 6.4.2 release.