Vulnerability Description
The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in com/mobileiron/registration/RegisterActivity.java and can be used for api/v1/gateway/customers/servers requests. NOTE: Vendor states that this is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, they do not plan change to make any changes to this feature.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mobileiron | Mobile\@Work | <= 2021-03-22 |
Related Weaknesses (CWE)
References
- https://github.com/optiv/rustyIronExploitThird Party Advisory
- https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=USProduct
- https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-containsExploitThird Party Advisory
- https://github.com/optiv/rustyIronExploitThird Party Advisory
- https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=USProduct
- https://www.optiv.com/explore-optiv-insights/source-zero/mobileiron-mdm-containsExploitThird Party Advisory
FAQ
What is CVE-2020-35137?
CVE-2020-35137 is a vulnerability with a CVSS score of 7.5 (HIGH). The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron...
How severe is CVE-2020-35137?
CVE-2020-35137 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-35137?
Check the references section above for vendor advisories and patch information. Affected products include: Mobileiron Mobile\@Work.