Skip to main content

Ivanti Releases Security Updates for Multiple Critical Vulnerabilities Affecting Avalanche

Ivanti security updates address twenty two vulnerabilities, thirteen of which are known to be critical severity, affecting Avalanche

Threat ID:
CC-4425
Threat Severity:
Medium
Published:
21 December 2023 4:01 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Ivanti security updates address twenty two vulnerabilities, thirteen of which are known to be critical severity, affecting Avalanche

Affected platforms

The following platforms are known to be affected:

Versions: All versions prior to Avalanche 6.4.2

Ivanti Avalanche

Threat details

Introduction

Ivanti has released a security advisory addressing multiple vulnerabilities in Avalanche enterprise mobile device management (MDM) solution. The vulnerabilities vary in type and consist of thirteen critical, eight high and one medium.

The vulnerabilities of highest criticality are highlighted in the vulnerability details.

Vulnerability Details

  • CVE-2023-41727 - CWE-787 - Out-of-bounds Write
    This is a critical severity unauthenticated buffer overflow vulnerability with a CVSS score of 9.8. An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service(DoS) or code execution.
  • CVE-2023-46216 - CWE-787 - Out-of-bounds Write
    This is a critical severity unauthenticated buffer overflow vulnerability with a CVSS score of 9.8. An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service(DoS) or code execution.
  • CVE-2023-46217 - CWE-787 - Out-of-bounds Write
    This is a critical severity unauthenticated buffer overflow vulnerability with a CVSS score of 9.8. An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service(DoS) or code execution.
  • CVE-2023-46220 - CWE-787 - Out-of-bounds Write
    This is a critical severity Stack-based Buffer Overflow Remote Code Execution Vulnerability with a CVSS score of 9.8. An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service(DoS) or code execution.
  • CVE-2023-46221 - CWE-787 - Out-of-bounds Write
    This is a critical severity Stack-based Buffer Overflow Remote Code Execution Vulnerability with a CVSS score of 9.8. An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service(DoS) or code execution.
  • CVE-2023-46222 - CWE-787 - Out-of-bounds Write
    This is a critical severity Stack-based Buffer Overflow Remote Code Execution Vulnerability with a CVSS score of 9.8. An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service(DoS) or code execution.
  • CVE-2023-46223 - CWE-787 - Out-of-bounds Write
    This is a critical severity Stack-based Buffer Overflow Remote Code Execution Vulnerability with a CVSS score of 9.8. An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service(DoS) or code execution.
  • CVE-2023-46224 - CWE-787 - Out-of-bounds Write
    This is a critical severity Stack-based Buffer Overflow Remote Code Execution Vulnerability with a CVSS score of 9.8. An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service(DoS) or code execution.
  • CVE-2023-46225 - CWE-787 - Out-of-bounds Write
    This is a critical severity Stack-based Buffer Overflow Remote Code Execution Vulnerability with a CVSS score of 9.8. An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service(DoS) or code execution.
  • CVE-2023-46257 - CWE-787 - Out-of-bounds Write
    This is a critical severity Stack-based Buffer Overflow Remote Code Execution Vulnerability with a CVSS score of 9.8. An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service(DoS) or code execution.
  • CVE-2023-46258 - CWE-787 - Out-of-bounds Write
    This is a critical severity Stack-based Buffer Overflow Remote Code Execution Vulnerability with a CVSS score of 9.8. An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service(DoS) or code execution.
  • CVE-2023-46259 - CWE-787 - Out-of-bounds Write
    This is a critical severity TV_FC Stack-based Buffer Overflow Remote Code Execution Vulnerability with a CVSS score of 9.8. An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service(DoS) or code execution.
  • CVE-2023-46261 - CWE-787 - Out-of-bounds Write
    This is a critical severity Heap-based Buffer Overflow Remote Code Execution Vulnerability with a CVSS score of 9.8. An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service(DoS) or code execution.

Remediation advice

Affected organisations are encouraged to review the following Ivanti Security Advisory and apply the relevant updates.   

CVE Vulnerabilities

Status Published

CVE-2023-41727

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
Status Published

CVE-2023-46216

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
Status Published

CVE-2023-46217

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
Status Published

CVE-2023-46220

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
Status Published

CVE-2023-46221

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
Status Published

CVE-2023-46222

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
Status Published

CVE-2023-46223

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
Status Published

CVE-2023-46224

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
Status Published

CVE-2023-46225

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
Status Published

CVE-2023-46257

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
Status Published

CVE-2023-46258

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
Status Published

CVE-2023-46259

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
Status Published

CVE-2023-46261

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
Status Published

CVE-2023-46260

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
Status Published

CVE-2023-46262

An unauthenticated attacked could send a specifically crafted web request causing a Server-Side Request Forgery (SSRF) in Ivanti Avalanche Remote Control server.
Status Published

CVE-2023-46266

An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack.
Status Published

CVE-2023-46263

An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remote code execution.
Status Published

CVE-2021-22962

An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack.
Status Published

CVE-2023-46264

An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remove code execution.
Status Published

CVE-2023-46803

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS).
Status Published

CVE-2023-46804

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS).
Status Published

CVE-2023-46265

An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF).

Last edited: 21 December 2023 4:01 pm