Ivanti Avalanche, an enterprise mobility management, is revealed to have two critical vulnerabilities that can let an attacker execute malicious code remotely.

Collectively, the flaws are categorised as stack-based buffer overflow vulnerabilities and are given a high-severity rating. Well, Ivanti has released a security update to patch both these flaws, alongside other bugs, and urges you to install it.

Patch Your Ivanti Avalanche Software

Ivanti Avalanche, an enterprise software to manage, monitor, and secure a wide range of mobile devices, is affected by two stack-based buffer overflow bugs, as noted by Tenable researchers. Collectively tracked as CVE-2023-32560, the bugs were given a CVSS score of 9.8/10, making them critical.

Researchers note the bugs are remotely exploitable without user authentication allowing attackers to execute arbitrary code on the target system.

Specially impacting the WLAvalancheService.exe version and older, researchers say an attacker intending to exploit this flaw can craft malicious or unacceptable strings that can cause a buffer overflow due to a fixed-size stack-based buffer to store the converted data.

To the unknown, a buffer overflow is a type of security issue where a program writes more data to an adjacent memory block (buffer) than it can hold, overwriting those locations and causing program crashes or arbitrary code execution.

So if an attacker can send malicious code to the target machine and trick it into accepting it, it’ll eventually run the malicious code more than the original one. After reporting to Ivanti on April 4, 2023, Tenable researchers shared the proof-of-concept with the vendor on April 13, 2023.

Months after this, Ivanti released a security update on August 3, 2023, pushing the Avalanche to version 6.4.1 with fixes. Alongside patching the two buffer overflow bugs, the new update also fixes CVE-2023-32561, CVE-2023-32562, CVE-2023-32563, CVE-2023-32564, CVE-2023-32565, and CVE-2023-32566, concerning various authentication bypass and remote code execution flaws.

This comes a month after the CISA warned its federal agencies of a critical bug in Ivanti EPMM, where an authentication bypass vulnerability could lead attackers to steal sensitive data from the agency devices.