Ivanti released a security advisory to address 27 medium, high, and critical severity vulnerabilities in its mobile device management solution Avalanche. CVE-2024-24996 and CVE-2024-29204 are the two vulnerabilities that have been given critical severity ratings. Successful exploitation of the vulnerabilities may allow remote attackers to trigger denial-of-service attacks, execute arbitrary commands as SYSTEM, read sensitive information from memory, and perform remote code execution.
Ivanti has mentioned in the advisory that there are no pieces of evidence of active exploitation of any of the vulnerabilities.
Ivanti Avalanche is a mobile device management system that helps users manage their mobile devices quickly and efficiently. The system includes network security features that allow users to manage wireless settings, including encryption and authentication. Ivanti Avalanche helps maintain control of critical mobile deployments, keeping them secure, available, and accessible.
CVE-2024-24996
This heap overflow vulnerability exists in the WLInfoRailService component of Ivanti Avalanche. On successful exploitation, an unauthenticated remote attacker may execute arbitrary commands.
CVE-2024-29204
This heap overflow vulnerability exists in the WLAvalancheService component of Ivanti Avalanche. On successful exploitation, an unauthenticated remote attacker may execute arbitrary commands.
Affected Versions
The vulnerability affects Ivanti Avalanche versions before 6.4.3.
Mitigation
Customers are advised to upgrade to Ivanti Avalanche 6.4.3 or later to patch the vulnerability.
For more information, please refer to Ivanti Security Advisory.
Qualys Detection
Qualys customers can scan their devices with QID 379671 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.