CVE-2021-3391
https://notcve.org/view.php?id=CVE-2021-3391
MobileIron Mobile@Work through 2021-03-22 allows attackers to distinguish among valid, disabled, and nonexistent user accounts by observing the number of failed login attempts needed to produce a Lockout error message MobileIron Mobile@Work hasta el 22 de marzo de 2021, permite a atacantes distinguir entre cuentas de usuario válidas, desactivadas e inexistentes al observar el número de intentos fallidos de inicio de sesión necesarios para producir un mensaje de error de bloqueo • https://github.com/optiv/rustyIron https://www.mobileiron.com/en/blog/mobileiron-security-updates-available https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration •
CVE-2020-35138
https://notcve.org/view.php?id=CVE-2020-35138
The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded encryption key, used to encrypt the submission of username/password details during the authentication process, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in the com/mobileiron/common/utils/C4928m.java file. NOTE: It has been asserted that there is no causality or connection between credential encryption and the MiTM attack ** EN DISPUTA ** Los agentes de MobileIron hasta el 2021-03-22 para Android e iOS contienen una clave de cifrado codificada, utilizada para cifrar el envío de los detalles de nombre de usuario/contraseña durante el proceso de autenticación, tal y como demuestra Mobile@Work (también conocido como com.mobileiron). La clave se encuentra en el archivo com/mobileiron/common/utils/C4928m.java. NOTA: Se ha afirmado que no existe ninguna causalidad o conexión entre el cifrado de credenciales y el ataque MiTM • https://github.com/optiv/rustyIron https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=US https://www.ivanti.com/blog/a-warranted-response-to-inaccurate-optiv-research https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration https://www.optiv.com/insights/source-zero/blog/mobileiron-mdm-contains-static-key-allowing-account-enumeration • CWE-798: Use of Hard-coded Credentials •
CVE-2020-35137
https://notcve.org/view.php?id=CVE-2020-35137
The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in com/mobileiron/registration/RegisterActivity.java and can be used for api/v1/gateway/customers/servers requests. NOTE: Vendor states that this is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, they do not plan change to make any changes to this feature. • https://github.com/optiv/rustyIron https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=US https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration • CWE-798: Use of Hard-coded Credentials •
CVE-2020-15505 – Ivanti MobileIron Multiple Products Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-15505
A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors. Se presenta una vulnerabilidad de ejecución de código remoto en las versiones 10.3.0.3 y anteriores del MobileIron Core y Connector, versiones 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 y 10.6.0.0; y las versiones 9 del Sentry. 7.2 y anteriores, y versiones 9.8.0; y Monitor and Reporting Database (RDB) versión 2.0.0.1 y anteriores que permite a los atacantes remotos ejecutar código arbitrario a través de vectores no especificados Ivanti MobileIron's Core & Connector, Sentry, and Monitor and Reporting Database (RDB) products contain an unspecified vulnerability that allows for remote code execution. • http://packetstormsecurity.com/files/161097/MobileIron-MDM-Hessian-Based-Java-Deserialization-Remote-Code-Execution.html https://cwe.mitre.org/data/definitions/41.html https://perchsecurity.com/perch-news/cve-spotlight-mobileiron-rce-cve-2020-15505 https://www.mobileiron.com/en/blog/mobileiron-security-updates-available https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2020-15505 • CWE-706: Use of Incorrectly-Resolved Name or Reference •
CVE-2020-15506
https://notcve.org/view.php?id=CVE-2020-15506
An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote attackers to bypass authentication mechanisms via unspecified vectors. Una vulnerabilidad de omisión de autentificación en MobileIron Core y Connector versiones 10.3.0.3 y anteriores, versiones 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 y versión 10.6.0.0 permite a atacantes remotos omitir los mecanismos de autenticación por medio de vectores no especificados • https://www.mobileiron.com/en/blog/mobileiron-security-updates-available •