MobileIron Security Updates Available

Summary:

Recently, Orange Tsai from DEVCORE reported to MobileIron that he had identified vulnerabilities in MobileIron Core that could allow an attacker to execute remote exploits without authentication.

The MobileIron security and engineering team validated the reported vulnerabilities and extended the review to all supported MobileIron products to identify any related impacts. We developed and made available patches to address these vulnerabilities.
 

Issue Description CVE
Remote Code Execution A remote code execution vulnerability in MobileIron Core and Connector versions 10.6 and earlier, and Sentry versions 9.8 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors. CVE-2020-15505
Arbitrary File Reading An arbitrary file reading vulnerability in MobileIron Core and Connector versions 10.6 and earlier that allows remote attackers to read files on the system via unspecified vectors. CVE-2020-15507
Authentication Bypass An Authentication Bypass vulnerability in MobileIron Core and Connector versions 10.6 and earlier that allows remote attackers to bypass authentication mechanisms via unspecified vectors. CVE-2020-15506


We are not aware of any customers impacted due to these vulnerabilities.


Products Affected and Available Patches:

  • MobileIron Core
  • MobileIron Sentry
  • MobileIron Cloud
  • Enterprise Connector
  • Reporting Database (RDB)

Patches for all impacted products were made available on June 15, 2020. Customers can access all patches at: https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000g065SAA
 

Recommended Mitigation:

MobileIron strongly recommends that customers apply these patches and any security updates as soon as possible.

Michael Klieman

Michael Klieman

VP, Product Management