CVE-2023-46260: 
Ivanti Avalanche vulnerability analysis and mitigation

CVE-2023-46260 is a security vulnerability discovered in Ivanti Avalanche's Mobile Device Server, affecting all supported versions 6.3.1 and above, as well as older versions. The vulnerability was reported through Trend Micro's Zero Day Initiative and was disclosed on December 19, 2023. The issue affects the WLAvalancheService component of Ivanti Avalanche, which is an enterprise mobile device management (MDM) solution (Bleeping Computer, Ivanti Blog).

The vulnerability is specifically identified as a Null Pointer Dereference issue within the WLAvalancheService component. It has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. However, HackerOne assigned it a CVSS score of 7.5 (HIGH) with a vector string of CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD, ZDI Advisory).

The vulnerability can result in a Denial of Service (DoS) condition or potential code execution on affected systems. When exploited, the issue causes memory corruption through specially crafted data packets sent to the Mobile Device Server (NVD).

Ivanti has released security updates to address this vulnerability in Avalanche version 6.4.2. It is strongly recommended for users to upgrade to Avalanche 6.4.2 to mitigate the risk. The fix is available in version 6.4.2.313 (Release Notes, Ivanti Blog).