Attacker Value
Very High
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
2

CVE-2020-15506

Disclosure Date: July 07, 2020
Exploited in the Wild
Reported by wvu-r7
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote attackers to bypass authentication mechanisms via unspecified vectors.

Add Assessment

3
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Technical Analysis
https://mobileiron/mifs/.;/services/someService

The “auth bypass” relies on a discrepancy between how Apache and Tomcat parse the path component in the URI, which is the same technique that was applied to CVE-2020-5902.

“Bypassing authentication” allows one to achieve RCE against either the user interface or the management interface, though it’s not clear that CVE-2020-15505 is the RCE used in the blog post. This is more of an ACL bypass than an auth bypass, honestly. This was briefly mentioned in the post.

Since MobileIron is mobile device management (MDM) software, which is increasingly relevant as the workforce shifts toward remote work, compromising a target’s MDM infrastructure may have devastating consequences.

Developers gluing disparate pieces of software together should take care to avoid turning expected input from one software into unexpected input for another. This bug class is well-documented. In the end, even input sanitization should take care to avoid normalization bugs.

Great find, Orange!

Also see CVE-2020-15505, a MobileIron RCE.

General Information

Additional Info

Technical Analysis