Vulnerability Spotlight 2: MobileIron MDM
CVE-2020-15505: a MobileIron MDM vulnerability
This article continues the NCSC’s Vulnerability Spotlight series, in which we examine a range of security vulnerabilities disclosed over the past year. Each post gives a high-level overview of a vulnerability, adds our thoughts on its implications, and provides some further reading.
Mobile Device Management (MDM) applications allow organisations to centrally manage and administer mobile devices such as mobile phones and laptops. MDM applications are increasing being used by organisations to manage large numbers of devices used by staff, both on-premises and at home. Last year, three severe vulnerabilities were reported in the MobileIron MDM product. The most critical of the three vulnerabilities, CVE-2020-15505, allows for remote code execution on devices running the affected product. MobileIron has subsequently released patches for all three vulnerabilities.
Typical MDM architecture involves a central server from which system administrators manage mobile devices. Mobile devices must be able to reach this management server from outside the organisation’s network, which exposes them to the internet.
CVE-2020-15505 was discovered on the MobileIron MDM central management server. Specifically, it was the result of a bug where the server insecurely deserialises (retrieves data structured in a specific format and commits the data to memory in the form of an object or data structure) user input. The bug only existed in the MDM management web interface, which typically shouldn’t be exposed to the internet. The MobileIron server segregates the management interface from other interfaces which typically are accessible to the internet. However, if a malicious actor managed to bypass the segregation and access control, they may have been able to get to the vulnerable component of the management interface.
This is exactly what the security researcher who discovered this vulnerability did. These separate interfaces are segmented using Apache Rewrite Rules. However, due to an existing access bypass technique this access control could be circumvented, giving a malicious actor access to the vulnerable interface. Using these vulnerabilities in unison, it was proven that a remote code execution could be executed.
The use of MDM products is considered good practice for managing mobile devices within an organisation. However, as a tool that is by design a centralised system that connects to a large number of user devices while also being accessible from outside of your core network, it will naturally increase an organisation’s threat surface. That’s why as per Protective Security Requirements (PSR) INFOSEC 1, organisations should identify the ICT systems that they manage and then assess any security risks (threats and vulnerabilities) associated with these systems, including the business impact of any security breaches. Knowing your own environment and the risks you face is the first step in protecting your organisation. Any identified risks can then be mitigated by appropriate security controls.
Additionally, as with any IT system, not applying security patches in a timely manner can leave your organisation vulnerable to malicious actors.