Safety vendor Ivanti has launched an replace to its Avalanche cellular machine administration (MDM) product which fixes 22 vulnerabilities, 13 of that are rated vital.
Ivanti Avalanche is described by the seller as an enterprise MDM resolution able to managing distributed deployments of greater than 100,000 cellular units – together with something from warehouse scanners to handheld tablets.
Nevertheless, its Avalanche 6.4.2 launch revealed this week consists of fixes for 13 flaws rated with a CVSS rating of 9.8. They’re a mixture of stack-based buffer overflow distant code execution (RCE) vulnerabilities, heap-based buffer overflow RCE and unauthenticated buffer overflows.
“An attacker sending specifically crafted information packets to the Cellular Gadget Server may cause reminiscence corruption which might consequence … [in] code execution,” Ivanti warned in an advisory.
“To deal with the safety vulnerabilities listed …, it’s extremely really helpful to obtain the Avalanche installer and replace to the newest Avalanche 6.4.2. The set up will apply a repair for every CVE listed …. These vulnerabilities have an effect on any older variations of Avalanche (confirmed again to six.3.1 however seemingly any 6.X variations are affected).”
Learn extra on Ivanti patching: Ivanti Discloses But One other Important Flaw
There’s no suggestion the vulnerabilities are presently being exploited in lively assaults, however Ivanti MDM merchandise have up to now been focused by menace actors.
Over the summer time, the seller was pressured to patch a number of zero-day vulnerabilities in its Ivanti Endpoint Supervisor Cellular (EPMM), previously referred to as MobileIron Core. CVE-2023-35078 and CVE-2023-35081 have been exploited in a probable state-sponsored assaults towards a number of Norwegian authorities ministries.
“Cellular machine administration (MDM) methods are enticing targets for menace actors as a result of they supply elevated entry to 1000’s of cellular units, and APT actors have exploited a earlier MobileIron vulnerability,” the US Cybersecurity and Infrastructure Safety Company (CISA) wrote in an advisory on the time.
Alongside the 13 critical-rated vulnerabilities, Ivanti mounted an additional 9 excessive and medium severity bugs with its Avalanche 6.4.2 launch.
