Attacker Value
Very High
(4 users assessed)
Exploitability
High
(4 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
5

CVE-2020-15505

Disclosure Date: July 07, 2020
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors.

Add Assessment

2
Ratings
  • Attacker Value
    Very High
Technical Analysis

According to Black Arrow, it looks like this CVE is being exploited to deliver Kaiten malware. This is another of the batch Orange Tsai wrote about from among their MobileIron discoveries last month. @wvu-r7 has a bit more context on the auth bypass in his assessment of CVE-2020-15506, too.

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Technical Analysis

MobileIron CVE-2020-15505 is an ongoing threat, and government agencies in the U.S. and the UK have confirmed the vulnerability is being targeted by APTs groups.

Rapid7 research conducted by @wvu-r7 has confirmed that this CVE is the RCE mentioned in the blog post by Orange Tsai.

Users are encouraged to update as fast as possible.

Also see CVE-2020-15506 a MobileIron authentication bypass

2
Ratings
Technical Analysis

Update, July 2021: https://us-cert.cisa.gov/ncas/alerts/aa21-209a Notes this was heavily exploited by APT groups in 2020, as one of the most actively exploited bugs of 2020.

This is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF

1
Technical Analysis

It’s not actually clear this is the RCE in the blog post It’s clear now, so please see CVE-2020-15506 for the original analysis.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Exploited in the Wild

Reported by:
Technical Analysis

Description

On June 15, 2020, MobileIron published a security advisory that included CVE-2020-15505, a remote code execution vulnerability in the Core and Connector components of their mobile device management (MDM) software. The vulnerability arises from an access control list (ACL) bypass (CVE-2020-15506) that takes advantage of a discrepancy between how Apache and Tomcat parse the path component in the URI. This can then be leveraged to execute code remotely.

MobileIron CVE-2020-15505 is confirmed to be exploited in the wild and poses an ongoing threat to organizations. Government agencies in the U.S. and the UK have confirmed the vulnerability is being targeted by APT groups. Rapid7 researchers have observed many vulnerable instances of MobileIron that are exposed to the public internet, including management interfaces; we recommend organizations take immediate action in light of ongoing exploitation.

Researcher Orange Tsai originally discovered and published information on this set of vulnerabilities here.

Affected products

In their updated report on October 22, 2020, MobileIron specified that the following products are affected:

  • MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0;
  • Sentry versions 9.7.2 and earlier, and 9.8.0; and
  • Monitor & Reporting Database (RDB) versions 2.0.0.1 and earlier

Rapid7 analysis

In October 2020, the U.S. National Security Agency included MobileIron CVE-2020-15505 on their list of vulnerabilities known to be exploited by Chinese state-sponsored threat actors. Both rich technical detail and proof-of-concept (PoC) code are readily available to the public, including researchers and attackers looking to build exploit chains of their own. Rapid7 researchers were able to reproduce the RCE on a vulnerable instance of MobileIron, though our research team also noted that some vulnerable instances are not easily exploitable because of a Spring firewall blocking the exploit requests.

Guidance

We urge MobileIron MDM customers to patch as soon as possible, without waiting for their next regular patch cycle. MobileIron customers who have not updated these past six months should strongly consider investigating their environments for signs of compromise and suspicious activity. We also urge all defenders to ensure management interfaces, especially for mobile device management solutions, are not exposed to the internet.

References