Security News > 2020 > September > Vulnerabilities Expose Thousands of MobileIron Servers to Remote Attacks

Vulnerabilities Expose Thousands of MobileIron Servers to Remote Attacks
2020-09-14 12:18

Researchers have disclosed the details of several potentially serious vulnerabilities affecting MobileIron's mobile device management solutions, including a flaw that can be exploited by an unauthenticated attacker for remote code execution on affected servers.

The vulnerabilities were identified by researchers at security consulting firm DEVCORE and they were reported to MobileIron in early April.

In a blog post published last week, DEVCORE's Orange Tsai reported that they have decided to analyze MobileIron's products due to their widespread use - the vendor claims more than 20,000 enterprises use its solutions and the researchers' analysis showed that over 15% of Global Fortune 500 organizations exposed their MobileIron servers to the internet, including Facebook.

Orange Tsai told SecurityWeek that exploiting CVE-2020-15505, which is a deserialization-related issue, is enough for a remote, unauthenticated attacker to achieve arbitrary code execution on a vulnerable MobileIron server.

The researcher says there are currently roughly 10,000 potentially exposed servers on the internet, and while a patch has been available for months, he claims roughly 30% of servers on the internet remain unpatched.


News URL

http://feedproxy.google.com/~r/Securityweek/~3/v0-eMaTKSaU/vulnerabilities-expose-thousands-mobileiron-servers-remote-attacks

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-07-07 CVE-2020-15505 Use of Incorrectly-Resolved Name or Reference vulnerability in Mobileiron products
A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors.
network
low complexity
mobileiron CWE-706
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Mobileiron 8 0 1 2 5 8