MobileIron Security Updates Available

Update: October 22, 2020:

Since June 2020 when MobileIron published the patches to address the vulnerabilities below, we have engaged in ongoing proactive outreach to help customers secure their systems. That outreach has included calls from our account teams, regular targeted emails, and in-product notices. We currently estimate that between 90%-95% of all devices are now managed on patched/updated versions of our software. We continue to follow up with the remaining customers where we can determine that they have not yet patched or upgraded affected products.
 

Summary:

Recently, Orange Tsai from DEVCORE reported to MobileIron that he had identified vulnerabilities in MobileIron Core that could allow an attacker to execute remote exploits without authentication.

The MobileIron security and engineering team validated the reported vulnerabilities and extended the review to all supported MobileIron products to identify any related impacts. We developed and made available patches to address these vulnerabilities.
 

Issue Description CVE CVSS v3 Score
Remote Code Execution A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors. CVE-2020-15505 9.8 CRITICAL
Arbitrary File Reading An arbitrary file reading vulnerability in MobileIron Core versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote attackers to read files on the system via unspecified vectors. CVE-2020-15507 7.5 HIGH
Authentication Bypass An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote attackers to bypass authentication mechanisms via unspecified vectors. CVE-2020-15506 9.8 CRITICAL


Available Patches:
 

  • MobileIron Core & Enterprise Connector
    Apply one of the following patches (v10.3.0.4, v10.4.0.4, v10.5.1.1, v10.5.2.1, v10.6.0.1) or update to a later version.
     
  • MobileIron Sentry
    Apply one of the following patches (v9.7.3, v9.8.1) or update to a later version.
     
  • MobileIron Monitor and Reporting Database (RDB)
    Apply the following patch (v2.0.0.2) or update to a later version.
     
  • MobileIron Cloud
    Status: Has been updated.
     

Patches for all impacted products were made available on June 15, 2020. Customers can access all patches at: https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000g065SAA
 

Recommended Mitigation:

MobileIron strongly recommends that customers apply these patches and any security updates as soon as possible.

Michael Klieman

Michael Klieman

VP, Product Management