Vulnerability Description
IBM Tivoli Endpoint Manager Mobile Device Management (MDM) before 9.0.60100 uses the same secret HMAC token across different customers' installations, which allows remote attackers to execute arbitrary code via crafted marshalled Ruby objects in cookies to (1) Enrollment and Apple iOS Management Extender, (2) Self-service portal, (3) Trusted Services provider, or (4) Admin Portal.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ibm | Tivoli Endpoint Manager Mobile Device Management | <= 9.0 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/129349/IBM-Endpoint-Manager-For-Mobile-DeviExploit
- http://seclists.org/fulldisclosure/2014/Dec/3Exploit
- http://www-01.ibm.com/support/docview.wss?uid=swg21691701Vendor Advisory
- http://www.securityfocus.com/archive/1/534131/100/0/threaded
- http://www.securityfocus.com/bid/71424
- http://www.securitytracker.com/id/1031306
- https://www.redteam-pentesting.de/en/advisories/rt-sa-2014-012/-unauthenticated-Exploit
- http://packetstormsecurity.com/files/129349/IBM-Endpoint-Manager-For-Mobile-DeviExploit
- http://seclists.org/fulldisclosure/2014/Dec/3Exploit
- http://www-01.ibm.com/support/docview.wss?uid=swg21691701Vendor Advisory
- http://www.securityfocus.com/archive/1/534131/100/0/threaded
- http://www.securityfocus.com/bid/71424
- http://www.securitytracker.com/id/1031306
- https://www.redteam-pentesting.de/en/advisories/rt-sa-2014-012/-unauthenticated-Exploit
FAQ
What is CVE-2014-6140?
CVE-2014-6140 is a vulnerability with a CVSS score of 9.3 (HIGH). IBM Tivoli Endpoint Manager Mobile Device Management (MDM) before 9.0.60100 uses the same secret HMAC token across different customers' installations, which allows remote attackers to execute arbitrar...
How severe is CVE-2014-6140?
CVE-2014-6140 has been rated HIGH with a CVSS base score of 9.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-6140?
Check the references section above for vendor advisories and patch information. Affected products include: Ibm Tivoli Endpoint Manager Mobile Device Management.