logo
DATABASE RESOURCES PRICING ABOUT US

CVE-2020-15506

Description

An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote attackers to bypass authentication mechanisms via unspecified vectors. **Recent assessments:** **wvu-r7** at September 22, 2020 8:22pm UTC reported: https://mobileiron/mifs/.;/services/someService The “[auth bypass](<https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html>)” relies on a discrepancy between how Apache and Tomcat parse the path component in the URI, which is the same technique that was applied to [CVE-2020-5902](<https://attackerkb.com/topics/evLpPlZf0i/cve-2020-5902-tmui-rce-vulnerability>). “Bypassing authentication” allows one to achieve RCE against either the user interface or the management interface, though it’s not clear that [CVE-2020-15505](<https://attackerkb.com/topics/Mo2aQDjmZ2/cve-2020-15505>) is the RCE used in the [blog post](<https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html>). This is more of an ACL bypass than an auth bypass, honestly. This was briefly mentioned in the post. Since MobileIron is [mobile device management (MDM)](<https://en.wikipedia.org/wiki/Mobile_device_management>) software, which is increasingly relevant as the workforce shifts toward remote work, compromising a target’s MDM infrastructure may have devastating consequences. Developers gluing disparate pieces of software together should take care to avoid turning expected input from one software into unexpected input for another. This bug class is [well-documented](<https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf>). In the end, even input sanitization should take care to avoid normalization bugs. Great find, Orange! Also see [CVE-2020-15505](<https://attackerkb.com/topics/Mo2aQDjmZ2/cve-2020-15505>), a MobileIron RCE. **ETA: [CVE-2020-15505](<https://attackerkb.com/topics/Mo2aQDjmZ2/cve-2020-15505>) uses an _ACL_ bypass, but in retrospect, I don’t think it’s this _auth_ bypass.** This analysis can be applied to [CVE-2020-15505](<https://attackerkb.com/topics/Mo2aQDjmZ2/cve-2020-15505>), consequently. Assessed Attacker Value: 5 Assessed Attacker Value: 5Assessed Attacker Value: 4


Related