Description
On June 15, 2020, MobileIron published a security advisory that included CVE-2020-15505, a remote code execution vulnerability in the Core and Connector components of their mobile device management (MDM) software. The vulnerability arises from an access control list (ACL) bypass (CVE-2020-15506) that takes advantage of a discrepancy between how Apache and Tomcat parse the path component in the URI. This can then be leveraged to execute code remotely.
MobileIron CVE-2020-15505 is confirmed to be exploited in the wild and poses an ongoing threat to organizations. Government agencies in the U.S. and the UK have confirmed the vulnerability is being targeted by APT groups. Rapid7 researchers have observed many vulnerable instances of MobileIron that are exposed to the public internet, including management interfaces; we recommend organizations take immediate action in light of ongoing exploitation.
Researcher Orange Tsai originally discovered and published information on this set of vulnerabilities here.
Affected products
In their updated report on October 22, 2020, MobileIron specified that the following products are affected:
- MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0;
- Sentry versions 9.7.2 and earlier, and 9.8.0; and
- Monitor & Reporting Database (RDB) versions 2.0.0.1 and earlier
Rapid7 analysis
In October 2020, the U.S. National Security Agency included MobileIron CVE-2020-15505 on their list of vulnerabilities known to be exploited by Chinese state-sponsored threat actors. Both rich technical detail and proof-of-concept (PoC) code are readily available to the public, including researchers and attackers looking to build exploit chains of their own. Rapid7 researchers were able to reproduce the RCE on a vulnerable instance of MobileIron, though our research team also noted that some vulnerable instances are not easily exploitable because of a Spring firewall blocking the exploit requests.
Guidance
We urge MobileIron MDM customers to patch as soon as possible, without waiting for their next regular patch cycle. MobileIron customers who have not updated these past six months should strongly consider investigating their environments for signs of compromise and suspicious activity. We also urge all defenders to ensure management interfaces, especially for mobile device management solutions, are not exposed to the internet.
References
- https://www.mobileiron.com/en/blog/mobileiron-security-updates-available
- https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html
- https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2020-15505
