-----BEGIN PGP SIGNED MESSAGE-----
Matta Consulting - Matta Advisory
MobileIron Multiple Products
Authentication Bypass Vulnerability
Advisory ID: MATTA-2013-004
CVE reference: CVE-2014-1409, CVE-2013-7286
Affected platforms: VSP and Sentry
Version: VSP < 5.9.1 and Sentry < 5.0
Security risk: Critical
Researcher: Nico Leidecker
Vendor Status: Patch released
Vulnerability Disclosure Policy:
During an external penetration test exercise for one of our clients,
an authentication bypass vulnerability was found in the
administrative interface of a MobileIron deployment. This ultimately
allowed us to, gain access to our client's internal network.
The 'j_username' parameter of the script at
https:///mics/j_spring_security_check is vulnerable to blind
XPath Injection, allowing an unauthenticated attacker to retrieve the
underlying XML document.
This XML document is an excerpt of the configuration file of the
device. It contains obfuscated passwords and, depending on
configuration, might contain domain credentials and allow the
attacker to reposition both internally and on any of the attached
This vulnerability has been assigned CVE-2014-1409.
The password obfuscation algorithm is known and has already been
documented ... AES-ECB-PKCS1.5 with a known, shared key. While we
won't release a full-featured exploit for the vulnerability, we will
release a PoC to confirm whether the hashes are indeed vulnerable.
The vendor has confirmed that a stronger encryption method is used
since release 5.7.
This vulnerability has been assigned CVE-2013-7286.
NB: A second insecure encryption scheme is described in , MITRE has
assigned CVE-2013-7287 to that separate vulnerability.
Base64 encoded script to confirm whether the hash provided is
vulnerable to CVE-2013-7286:
Successful exploitation allows an unauthenticated attacker to take
over the device and potentially any device attached to it as well
as the Active Directory Domain it might be linked to.
- - Sentry Standalone < 5
- - VSP < 5.9.1
Restrict access to the MICS service (administrative interface) to
MICS Portal -> Security -> Portal ACLs -> System Manager Portal ACL
This vulnerability was discovered by Nico Leidecker from Matta
19-12-13 initial discovery
30-12-13 client has mitigated the vulnerability
30-12-13 initial attempt to contact the vendor
30-12-13 reply from the vendor
31-12-13 a draft of this advisory is sent to the vendor
03-01-14 vendor can't reproduce / ask for more details
03-01-14 more details are sent
07-01-14 vendor recognize that there is a bug but dissmisses it as a
07-01-14 more details are sent
14-01-14 a week lapsed, no reply... we chase it up
14-01-14 vendor reply: they're working on a response
15-01-14 vendor respond: reclassify the bug as a security issue,
indicate that they indend on fixing the bug in the Q1 release,
provide a workaround and ask for us to hold on releasing the
advisory until the release is published
15-01-14 we agree to a deadline extension, send the CVEs MITRE has
19-02-14 vendor release 5.9.1 (but doesn't let us know)
31-03-14 vendor indicate that the release of VSP 6 is delayed but
the bugs have been fixed in 5.9.1
02-04-14 release of this advisory
Matta is a privately held company with Headquarters in London, and a
European office in Amsterdam. Established in 2001, Matta operates
in Europe, Asia, the Middle East and North America using a respected
team of senior consultants. Matta is an accredited provider of
Tiger Scheme training and conducts regular research.
Disclaimer and Copyright
Copyright (c) 2014 Matta Consulting Limited. All rights reserved.
This advisory may be distributed as long as its distribution is
free-of-charge and proper credit is given.
The information provided in this advisory is provided "as is" without
warranty of any kind. Matta Consulting disclaims all warranties,
either express or implied, including the warranties of
merchantability and fitness for a particular purpose. In no event
shall Matta Consulting or its suppliers be liable for any damages
whatsoever including direct, indirect, incidental, consequential,
loss of business profits or special damages, even if Matta
Consulting or its suppliers have been advised of the possibility
of such damages.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----