*This post originally appeared on the MobileIron blog prior to the acquisition in December 2020, when MobileIron became part of Ivanti.

Since June 2020 when MobileIron published the patches to address the vulnerabilities below, we have engaged in ongoing proactive outreach to help customers secure their systems. That outreach has included calls from our account teams, regular targeted emails, and in-product notices. We currently estimate that between 90%-95% of all devices are now managed on patched/updated versions of our software. We continue to follow up with the remaining customers where we can determine that they have not yet patched or upgraded affected products.
 

Summary:

Recently, Orange Tsai from DEVCORE reported to MobileIron that he had identified vulnerabilities in MobileIron Core that could allow an attacker to execute remote exploits without authentication.

The MobileIron security and engineering team validated the reported vulnerabilities and extended the review to all supported MobileIron products to identify any related impacts. We developed and made available patches to address these vulnerabilities.
 

Issue

Description

CVE

CVSS v3 Score

Remote Code Execution

A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors.

CVE-2020-15505

9.8 CRITICAL

Arbitrary File Reading

An arbitrary file reading vulnerability in MobileIron Core versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote attackers to read files on the system via unspecified vectors.

CVE-2020-15507

7.5 HIGH

Authentication Bypass

An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote attackers to bypass authentication mechanisms via unspecified vectors.

CVE-2020-15506

9.8 CRITICAL


Available Patches:
 

  • MobileIron Core & Enterprise Connector
    Apply one of the following patches (v10.3.0.4, v10.4.0.4, v10.5.1.1, v10.5.2.1, v10.6.0.1) or update to a later version.
     
  • MobileIron Sentry
    Apply one of the following patches (v9.7.3, v9.8.1) or update to a later version.
     
  • MobileIron Monitor and Reporting Database (RDB)
    Apply the following patch (v2.0.0.2) or update to a later version.
     
  • MobileIron Cloud
    Status: Has been updated.
     

Patches for all impacted products were made available on June 15, 2020. Customers can access all patches at: https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000g065SAA
 

Recommended Mitigation:

MobileIron strongly recommends that customers apply these patches and any security updates as soon as possible.