Ivanti has patched a number of vulnerabilities in its Avalanche mobile device manager product, reported by security researchers from the Zero Day Initiative (ZDI) and Tenable Security.
Tenable’s contribution was given the identifier CVE-2023-32560, and is a collection of stack-based buffer overflows in Avalanche WLAvanacheServer.exe v6.4.0.0.
The vulnerabilities are rated critical, with a CVSS score of 9.8, because they leave the software vulnerable to remote code execution (RCE) by unauthenticated attackers.
A further six vulnerabilities, one of which also has a CVSS score of 9.8, were reported to Ivanti by the ZDI.
The critical vulnerability, CVE-2023-32563, is a directory traversal bug in Avalanche’s updateSkin function which can also be exploited for unauthenticated RCE.
“The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations,” the ZDI researchers wrote.
“An attacker can leverage this vulnerability to execute code in the context of SYSTEM.”
CVE-2023-32561 is an authentication bypass bug with a CVSS score of 8.1.
“The specific flaw exists within the dumpHeap method,” the ZDI researchers wrote.
“The issue results from an incorrect permission assignment. An attacker can leverage this vulnerability to bypass authentication on the system.”
The remaining lower-rated vulnerabilities are in Avalanche SecureFilter (CVE-2023-32566 and CVE-2023-32565); and an arbitrary file upload bug (CVE-2023-32564 and CVE-2023-32562).
Ivanti has patched the bugs in Avalanche 6.4.1.207.