Very High
CVE-2020-15505
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2020-15505
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors.
Add Assessment
Ratings
-
Attacker ValueVery High
Technical Analysis
According to Black Arrow, it looks like this CVE is being exploited to deliver Kaiten malware. This is another of the batch Orange Tsai wrote about from among their MobileIron discoveries last month. @wvu-r7 has a bit more context on the auth bypass in his assessment of CVE-2020-15506, too.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueVery High
-
ExploitabilityHigh
Technical Analysis
MobileIron CVE-2020-15505 is an ongoing threat, and government agencies in the U.S. and the UK have confirmed the vulnerability is being targeted by APTs groups.
Rapid7 research conducted by @wvu-r7 has confirmed that this CVE is the RCE mentioned in the blog post by Orange Tsai.
Users are encouraged to update as fast as possible.
Also see CVE-2020-15506 a MobileIron authentication bypass
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
Technical Analysis
Update, July 2021: https://us-cert.cisa.gov/ncas/alerts/aa21-209a Notes this was heavily exploited by APT groups in 2020, as one of the most actively exploited bugs of 2020.
This is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportTechnical Analysis
It’s not actually clear this is the RCE in the blog post It’s clear now, so please see CVE-2020-15506 for the original analysis.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- mobileiron
Products
- core,
- enterprise connector,
- monitor and reporting database,
- sentry
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this report- Government or Industry Alert (https://us-cert.cisa.gov/ncas/alerts/aa21-209a)
- Other: 2020 Most Exploited Vulnerabilities Report (https://www.ic3.gov/Media/News/2021/210728.pdf)
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Miscellaneous
Additional Info
Technical Analysis
Description
On June 15, 2020, MobileIron published a security advisory that included CVE-2020-15505, a remote code execution vulnerability in the Core and Connector components of their mobile device management (MDM) software. The vulnerability arises from an access control list (ACL) bypass (CVE-2020-15506) that takes advantage of a discrepancy between how Apache and Tomcat parse the path component in the URI. This can then be leveraged to execute code remotely.
MobileIron CVE-2020-15505 is confirmed to be exploited in the wild and poses an ongoing threat to organizations. Government agencies in the U.S. and the UK have confirmed the vulnerability is being targeted by APT groups. Rapid7 researchers have observed many vulnerable instances of MobileIron that are exposed to the public internet, including management interfaces; we recommend organizations take immediate action in light of ongoing exploitation.
Researcher Orange Tsai originally discovered and published information on this set of vulnerabilities here.
Affected products
In their updated report on October 22, 2020, MobileIron specified that the following products are affected:
- MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0;
- Sentry versions 9.7.2 and earlier, and 9.8.0; and
- Monitor & Reporting Database (RDB) versions 2.0.0.1 and earlier
Rapid7 analysis
In October 2020, the U.S. National Security Agency included MobileIron CVE-2020-15505 on their list of vulnerabilities known to be exploited by Chinese state-sponsored threat actors. Both rich technical detail and proof-of-concept (PoC) code are readily available to the public, including researchers and attackers looking to build exploit chains of their own. Rapid7 researchers were able to reproduce the RCE on a vulnerable instance of MobileIron, though our research team also noted that some vulnerable instances are not easily exploitable because of a Spring firewall blocking the exploit requests.
Guidance
We urge MobileIron MDM customers to patch as soon as possible, without waiting for their next regular patch cycle. MobileIron customers who have not updated these past six months should strongly consider investigating their environments for signs of compromise and suspicious activity. We also urge all defenders to ensure management interfaces, especially for mobile device management solutions, are not exposed to the internet.
References
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: