An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
An attacker sends specially crafted network packets to the Mobile Device Server component operating within Ivanti Avalanche. Improper processing of this data leads to writing outside the allocated memory area (CWE-787 — out-of-bounds write), causing memory corruption of the process. This state can be exploited to gain control over program execution flow (RCE) or cause its crash (DoS).
An attacker can gain full control over the server through remote code execution (RCE) or cause unavailability of the mobile device management service (DoS). The attack requires no authentication or user interaction.
Ivanti Avalanche should be updated to version 6.4.2 or later according to information contained in vendor release notes available at the address indicated in the references. It is also recommended to restrict network access to the Mobile Device Server port exclusively to trusted hosts using a firewall.
Ivanti Avalanche — versions prior to 6.4.2 (according to vendor references); Microsoft Windows environment as the platform hosting the Mobile Device Server component
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HIvanti Avalanche
APPIvanti< 6.4.2Microsoft Windows
OSMicrosoftwszystkie wersje
Related vulnerabilities
Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP
Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows
PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit