WARNING: CRITICAL VULNERABILITIES IN IVANTI AVALANCHE <6.4.3 COULD LEAD TO RCE, PATCH IMMEDIATELY!
CVE-2024-24996: CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H )
CVE-2024-29204: CVSS 9.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Sources
Risks
Avalanche is Ivanti's enterprise mobile device management system. The company fixed twenty-five (25) vulnerabilities in their latest v6.4.3 update, two (2) of which are 9.8 critical vulnerabilities which could lead to remote code execution (RCE).
Ivanti is not aware of any exploitation of the addressed vulnerabilities. However, successful exploitation of critical CVE-2024-24996 could have a high impact on confidentiality, integrity and availability of data and systems. Exploitation of critical CVE-2024-29204 could have a high impact on availability.
Also check CCB's previous advisories on Ivanti Avalanche dated 30/08/2023 and 21/12/2023.
Even if there is no data available yet about a possible exploitation of CVE-2024-24996, the recent release of the proof-of-concept exploit code increases the likelihood of attacks targeting this vulnerability.
Description
Critical CVE-2024-24996 and CVE-2024-29204 are heap overflow vulnerabilities, respectively in the WLInfoRailService component and the WLAvalancheService component of the affected software.
Successful exploitation of said vulnerabilities could allow an unauthenticated remote attacker to execute arbitrary commands.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
https://cert.be/en/advisory/warning-unauthenticated-rce-ivanti-avalanche
https://cert.be/en/advisory/warning-13-critical-vulnerabilities-avalanche-enterprise-mobile-device-management-solution