Researchers have disclosed the details of several potentially serious vulnerabilities affecting MobileIron’s mobile device management (MDM) solutions, including a flaw that can be exploited by an unauthenticated attacker for remote code execution on affected servers.
The vulnerabilities were identified by researchers at security consulting firm DEVCORE and they were reported to MobileIron in early April. Patches were released on June 15 and the vendor released an advisory on July 1.
The security holes can be exploited for remote code execution (CVE-2020-15505), to read arbitrary files from a targeted system (CVE-2020-15507), and bypass authentication mechanisms remotely (CVE-2020-15506). Affected products include MobileIron Core (version 10.6 and earlier), MobileIron Sentry, MobileIron Cloud, Enterprise Connector, and Reporting Database.
In a blog post published last week, DEVCORE’s Orange Tsai reported that they have decided to analyze MobileIron’s products due to their widespread use — the vendor claims more than 20,000 enterprises use its solutions and the researchers’ analysis showed that over 15% of Global Fortune 500 organizations exposed their MobileIron servers to the internet, including Facebook.
It’s worth noting that Orange Tsai is one of the researchers who last year disclosed several critical vulnerabilities affecting enterprise VPN products from Palo Alto Networks, Fortinet and Pulse Secure. These flaws ended up being exploited in many attacks, including by state-sponsored threat groups.
Orange Tsai told SecurityWeek that exploiting CVE-2020-15505, which is a deserialization-related issue, is enough for a remote, unauthenticated attacker to achieve arbitrary code execution on a vulnerable MobileIron server.
The researcher says there are currently roughly 10,000 potentially exposed servers on the internet, and while a patch has been available for months, he claims roughly 30% of servers on the internet remain unpatched.
After seeing that Facebook failed to patch its MobileIron server two weeks after the release of a fix, DEVCORE reported the issue to the social media giant through its bug bounty program. The impact of the vulnerability was demonstrated to Facebook by “popping a shell” on one of their servers. Facebook awarded a bug bounty for the report, but the amount is not being disclosed.
Shortly after Orange Tsai disclosed the details of the vulnerabilities, someone created and released a proof-of-concept (PoC) exploit for CVE-2020-15505. The white hat hacker claims to be aware of successful exploitation attempts made by members of the bug bounty community.