Handling remote code execution exploits - MobileIron's Guidance

Remote Code Execution attacks have been commonplace for quite sometime now. In fact, the Common Vulnerabilities and Exposures (CVE) repository lists 336 entries dating all the way back to 1999!

While some of these security vulnerabilities may not result in attacks, we know vulnerabilities do exist on many platforms that may lead to RCE attacks, so we want to highlight how MobileIron’s unified endpoint management (UEM) and threat defense (MTD) solutions can help to mitigate attacks based on these vulnerabilities.

RCE based exploitation of devices, normally means a successful jailbreak or rooting is performed remotely. This grants the threat actor root level access to bypass native security controls with the ultimate goal of jailbreaking the device and extracting all data from the device, and then reselling any secrets found onto the dark web for financial gain. A jailbreak or root is required to break the sandbox isolation of mobile apps, including all system apps.

Based on previous exploits, some escape app sandbox isolation, Elevation of Privileges (EoP) along with File System Changed and App Tampering or System Tampering threats would be detected by MTD. MTD would instruct UEM to trigger a quarantine compliance action that removes managed apps and their content from the device, preventing any data loss. If the exploit tried to make a command-and-control connection to a mothership server on the dark web to exfiltrate the stolen data, then a (network) Gateway Change or DNS Change threats would also be triggered. The compliance action to block network traffic and prevent any data to leave the device could be enforced. If the exploit performed a lateral movement onto any connected network, an Internal Network Access or Network Handoff threat would be detected with a blocking or sinkhole network traffic being triggered as a compliance action from UEM.

If a tethered, semi-tethered, or untethered jailbreak is performed, both UEM and MTD would detect the device state and trigger a quarantine compliance action that removes the managed apps and content from the device, and then block any outbound traffic from the device to prevent any data loss.

With MobileIron UEM and corporate-owned devices, administrators can install updates to the devices once new patches are released.  For BYOD devices, MobileIron can send a push notification so that employees can upgrade as soon as possible.  A tiered compliance policy can also be enforced by setting a time limit to permit the user to update to the prescribed OS version that has the security fixes in place. A notification can be sent to both the user and UEM administrator that a device is out-of-compliance. Then, a specified amount of time like four hours or one day elapses before more restrictive compliance actions like blocking access to the corporate network and work resources, or quarantining the device by removing managed apps and content, or a final action of retiring the device completely from UEM can be enforced. MobileIron Access can also be deployed to block access to the device or user to synchronize with Exchange Online or other mail servers.

screenshot

Reach out to us if you have any questions.

James Saturnio

James Saturnio

Senior Lead Technical Market Adviser at MobileIron

About the author

James Saturnio is a Senior Lead Technical Market Adviser at MobileIron. He immerses himself in all things cybersecurity and has over 25 years’ experience in this field. He has been with MobileIron for over 6 years, and previously worked at Cisco Systems for 19 years. While at Cisco, he worked as a TAC Engineer, and then as a Technical Leader for the Security Technology and Internet of Things (IoT) business units. He was the main architect for the IoT security framework that is still being used today by Cisco’s IoT customers.

Rich Festante

Technical Marketing Engineer at MobileIron