NVD Vulnerability Detail

CVE-2020-35138

Summary	The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded encryption key, used to encrypt the submission of username/password details during the authentication process, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in the com/mobileiron/common/utils/C4928m.java file. NOTE: It has been asserted that there is no causality or connection between credential encryption and the MiTM attack
Publication Date	March 30, 2021, 5:15 a.m.
Registration Date	March 30, 2021, 10 a.m.
Last Update	Nov. 21, 2024, 2:26 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:mobileiron:mobile\@work::::::iphone_os::*		2021-03-22
cpe:2.3:a:mobileiron:mobile\@work::::::android::*		2021-03-22

Related information, measures and tools

No	URL	タグ
1	https://github.com/optiv/rustyIron	Exploit Third Party Advisory
2	https://github.com/optiv/rustyIron	Exploit Third Party Advisory
3	https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=US	Product Third Party Advisory
4	https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=US	Product Third Party Advisory
5	https://www.ivanti.com/blog/a-warranted-response-to-inaccurate-optiv-research	Third Party Advisory
6	https://www.ivanti.com/blog/a-warranted-response-to-inaccurate-optiv-research	Third Party Advisory
7	https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration	Exploit Third Party Advisory
8	https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-contains-static-key-allowing-account-enumeration	Exploit Third Party Advisory
9	https://www.optiv.com/insights/source-zero/blog/mobileiron-mdm-contains-static-key-allowing-account-enumeration	Exploit Third Party Advisory
10	https://www.optiv.com/insights/source-zero/blog/mobileiron-mdm-contains-static-key-allowing-account-enumeration	Exploit Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-798	ハードコードされた認証情報の使用	https://cwe.mitre.org/data/definitions/798.html

JVN Vulnerability Information

Android および iOS 用 Mobile@Work におけるハードコードされた認証情報の使用に関する脆弱性

Title	Android および iOS 用 Mobile@Work におけるハードコードされた認証情報の使用に関する脆弱性
Summary	未確定本件は、脆弱性として確定していません。 Android および iOS 用 Mobile@Work には、ハードコードされた認証情報の使用に関する脆弱性が存在します。ベンダは、本脆弱性に対して異議を唱えています。詳細については、以下の NVD の Current Description を確認してください。 https://nvd.nist.gov/vuln/detail/CVE-2020-35138
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Dec. 11, 2020, midnight
Registration Date	Dec. 6, 2021, 5:15 p.m.
Last Update	Dec. 6, 2021, 5:15 p.m.

Affected System

mobileiron

mobile@work 2021/03/22 まで

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-35138	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35138
National Vulnerability Database (NVD)
2	CVE-2020-35138	https://nvd.nist.gov/vuln/detail/CVE-2020-35138

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-798	https://cwe.mitre.org/data/definitions/798.html

ベンダー情報

No	Name	URL
Google play
1	Mobile@Work	https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=US

その他

No	Name	URL
関連文書
1	MobileIron MDM Contains Static Key Allowing Account Enumeration	https://www.optiv.com/insights/source-zero/blog/mobileiron-mdm-contains-static-key-allowing-account-enumeration
2	rustyIron	https://github.com/optiv/rustyIron

Change Log

No	Changed Details	Date of change
1	[2021年12月06日] 掲載	Dec. 6, 2021, 5:15 p.m.