Get in Touch
Ivanti addresses 19 critical vulnerabilities
Target Industry
Indiscriminate, opportunistic targeting.
Overview
On 18th April 2024, Ivanti released a series of patches to address previously unknown vulnerabilities in their Ivanti Avalanche Mobile Device Management solution. The vulnerabilities were disclosed by Ivanti using the patch release notes.
We strongly recommend that organisations using Ivanti patch immediately.
Impact
Following the release of these vulnerabilities, organisations should expect mass scanning for vulnerable Ivanti Avalanche applications. Additionally, organisations should expect mass exploitation from threat actors. Previous vulnerabilities like this are typically followed by threat actors attempting to install backdoors onto as many vulnerable applications as possible.
Vulnerability Detection
Ivanti Avalanche instances before versions 6.4.3 are vulnerable.
Vulnerabilities
Visit Avalanche 6.4.3 Security Hardening and CVEs addressed for details of the following Common Vulnerability Exposures (CVEs):
| CVE-2024-22061 | A Heap Overflow vulnerability in WLInfoRailService before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands | 8.1 |
| CVE-2024-23526 | An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory. | 5.3 |
| CVE-2024-23527 | An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory. | 5.3 |
| CVE-2024-23528 | An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory. | 5.3 |
| CVE-2024-23529 | An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory. | 5.3 |
| CVE-2024-23530 | An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory. | 5.3 |
| CVE-2024-23531 | An Integer Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to perform denial of service attacks. In certain rare conditions this could also lead to reading content from memory. | 7.5 |
| CVE-2024-23533 | An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an authenticated remote attacker to read sensitive information in memory. | 4.3 |
| CVE-2024-23532 | An out-of-bounds Read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks. In certain conditions this could also lead to remote code execution. | 7.5 |
| CVE-2024-23534 | An Unrestricted File-upload vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | 8.8 |
| CVE-2024-23535 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | 8.8 |
| CVE-2024-24991 | A Null Pointer Dereference vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks. | 6.5 |
| CVE-2024-24992 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | 8.8 |
| CVE-2024-24993 | A Race Condition (TOCTOU) vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | 8.8 |
| CVE-2024-24994 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | 8.8 |
| CVE-2024-24995 | A Race Condition (TOCTOU) vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | 8.8 |
| CVE-2024-24996 | A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to execute arbitrary commands. | 9.8 |
| CVE-2024-24997 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | 8.8 |
| CVE-2024-24998 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | 8.8 |
| CVE-2024-24999 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | 8.8 |
| CVE-2024-25000 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | 8.8 |
| CVE-2024-27975 | A Use-after-free vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | 8.8 |
| CVE-2024-27976 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | 8.8 |
| CVE-2024-27977 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to delete arbitrary files, thereby leading to Denial-of-Service. | 7.1 |
| CVE-2024-27978 | A Null Pointer Dereference vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks. | 6.5 |
| CVE-2024-27984 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to delete specific type of files and/or cause denial of service. | 7.1 |
| CVE-2024-29204 | A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands | 9.8 |
Indicators of Compromise
No specific Indicators of Compromise (IoCs) are available currently.
Threat Landscape
Ivanti products are being scrutinised by threat actors and security researchers thoroughly. This scrutinization brings with it disclosed vulnerabilities.
The wave of vulnerabilities attached to Ivanti products has flagged Ivanti software as effective initial access vectors for threat actors. Additionally, Ivanti solutions are considered enterprise grade and the organisations that use Ivanti will almost certainly contain a wealth of information, data, and personal details that attract threat actors.
Threat Group
No attribution to specific threat actors or groups has been identified at the time of writing.
Further Information
- https://www.quorumcyber.com/threat-intelligence/ivanti-discloses-two-additional-vulnerabilities-privilege-escalation-and-access-to-restricted-resources/
- https://www.quorumcyber.com/threat-intelligence/ivanti-discloses-zero-day-vulnerabilities-under-active-exploit/
- https://www.quorumcyber.com/threat-intelligence/ivanti-discloses-critical-rce-vulnerability-in-epm-software/
- https://www.quorumcyber.com/threat-intelligence/ivanti-discloses-multiple-critical-vulnerabilities-targeting-mobileiron/
- https://www.quorumcyber.com/threat-intelligence/critical-ivanti-zero-day-vulnerability-actively-exploited/
- https://www.quorumcyber.com/threat-intelligence/ivanti-discloses-buffer-overflow-flaw/