CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-3391
https://notcve.org/view.php?id=CVE-2021-3391
MobileIron Mobile@Work through 2021-03-22 allows attackers to distinguish among valid, disabled, and nonexistent user accounts by observing the number of failed login attempts needed to produce a Lockout error message MobileIron Mobile@Work hasta el 22 de marzo de 2021, permite a atacantes distinguir entre cuentas de usuario válidas, desactivadas e inexistentes al observar el número de intentos fallidos de inicio de sesión necesarios para producir un mensaje de error de bloqueo • https://github.com/optiv/rustyIron https://www.mobileiron.com/en/blog/mobileiron-security-updates-available https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 3CVE-2020-35138
https://notcve.org/view.php?id=CVE-2020-35138
The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded encryption key, used to encrypt the submission of username/password details during the authentication process, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in the com/mobileiron/common/utils/C4928m.java file. NOTE: It has been asserted that there is no causality or connection between credential encryption and the MiTM attack ** EN DISPUTA ** Los agentes de MobileIron hasta el 2021-03-22 para Android e iOS contienen una clave de cifrado codificada, utilizada para cifrar el envío de los detalles de nombre de usuario/contraseña durante el proceso de autenticación, tal y como demuestra Mobile@Work (también conocido como com.mobileiron). La clave se encuentra en el archivo com/mobileiron/common/utils/C4928m.java. NOTA: Se ha afirmado que no existe ninguna causalidad o conexión entre el cifrado de credenciales y el ataque MiTM • https://github.com/optiv/rustyIron https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=US https://www.ivanti.com/blog/a-warranted-response-to-inaccurate-optiv-research https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration https://www.optiv.com/insights/source-zero/blog/mobileiron-mdm-contains-static-key-allowing-account-enumeration • CWE-798: Use of Hard-coded Credentials •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 2CVE-2020-35137
https://notcve.org/view.php?id=CVE-2020-35137
The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in com/mobileiron/registration/RegisterActivity.java and can be used for api/v1/gateway/customers/servers requests. NOTE: Vendor states that this is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, they do not plan change to make any changes to this feature. • https://github.com/optiv/rustyIron https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=US https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration • CWE-798: Use of Hard-coded Credentials •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2014-5903
https://notcve.org/view.php?id=CVE-2014-5903
The Mobile@Work (aka com.mobileiron) application 6.0.0.1.12R for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. La aplicación Mobile@Work 6.0.0.1.12R (también conocida como com.mobileiron) para Android no verifica los certificados X.509 de los servidores SSL, lo que permite a atacantes man-in-the-middle falsificar servidores y obtener información sensible a través de un certificado manipulado. • http://www.kb.cert.org/vuls/id/582497 http://www.kb.cert.org/vuls/id/823529 https://docs.google.com/spreadsheets/d/1t5GXwjw82SyunALVJb2w0zi3FoLRIkfGPc7AMjRF0r4/edit?usp=sharing • CWE-310: Cryptographic Issues •