MobileIron Security Updates Available
Update: October 22, 2020:
Since June 2020 when MobileIron published the patches to address the vulnerabilities below, we have engaged in ongoing proactive outreach to help customers secure their systems. That outreach has included calls from our account teams, regular targeted emails, and in-product notices. We currently estimate that between 90%-95% of all devices are now managed on patched/updated versions of our software. We continue to follow up with the remaining customers where we can determine that they have not yet patched or upgraded affected products.
Recently, Orange Tsai from DEVCORE reported to MobileIron that he had identified vulnerabilities in MobileIron Core that could allow an attacker to execute remote exploits without authentication.
The MobileIron security and engineering team validated the reported vulnerabilities and extended the review to all supported MobileIron products to identify any related impacts. We developed and made available patches to address these vulnerabilities.
|Issue||Description||CVE||CVSS v3 Score|
|Remote Code Execution||A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 184.108.40.206 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors.||CVE-2020-15505||9.8 CRITICAL|
|Arbitrary File Reading||An arbitrary file reading vulnerability in MobileIron Core versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote attackers to read files on the system via unspecified vectors.||CVE-2020-15507||7.5 HIGH|
|Authentication Bypass||An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote attackers to bypass authentication mechanisms via unspecified vectors.||CVE-2020-15506||9.8 CRITICAL|
- MobileIron Core & Enterprise Connector
Apply one of the following patches (v10.3.0.4, v10.4.0.4, v10.5.1.1, v10.5.2.1, v10.6.0.1) or update to a later version.
- MobileIron Sentry
Apply one of the following patches (v9.7.3, v9.8.1) or update to a later version.
- MobileIron Monitor and Reporting Database (RDB)
Apply the following patch (v220.127.116.11) or update to a later version.
- MobileIron Cloud
Status: Has been updated.
Patches for all impacted products were made available on June 15, 2020. Customers can access all patches at: https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000g065SAA
MobileIron strongly recommends that customers apply these patches and any security updates as soon as possible.