Several serious security flaws have been reported in Ivanti Avalanche, an enterprise mobile device management solution used by 30,000 organizations.
The vulnerabilities, which are collectively tracked as CVE-2023-32560 (CVSS score: 9.8), are stack-based buffer overflows in Ivanti Avalanche WLAvanacheServer.exe v6.4.0.0.
Cyber security company Tenable said the flaws were the result of buffer overflows that could arise as a result of processing specific data types.
It states that an unauthenticated remote attacker can specify a long hex string or long type 9 item to cause the buffer to overflow.
Both issues can be successfully exploited by a remote adversary to obtain code execution or a system crash.
Stack-based buffer overflow vulnerabilities occur when the buffer being overwritten is in the stack, creating a scenario where program execution can be altered to run arbitrary code with elevated privileges.
After the issue was disclosed in April 2023, Ivanti has released Avalanche version 6.4.1 to address the issue.
The update also addresses six other vulnerabilities (CVE-2023-32561 to CVE-2023-32566) that could lead to authentication bypass and remote code execution.
Security vulnerabilities in Ivanti software have been actively discovered in recent weeks, so it is imperative that users move quickly to implement fixes to mitigate potential threats.