Description
The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded encryption key, used to encrypt the submission of username/password details during the authentication process, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in the com/mobileiron/common/utils/C4928m.java file. NOTE: It has been asserted that there is no causality or connection between credential encryption and the MiTM attack
Related CPE's
a
mobileiron
mobile\@work
References
https://github.com/optiv/rustyIron
https://play.google.com/store/apps/details?id=com.mobileiron&hl=en_US&gl=US
https://www.ivanti.com/blog/a-warranted-response-to-inaccurate-optiv-research
CVSS impact metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 · Critical
CVSS V3.1
CVSS V3.0
CVSS V2.0
Information
Source identifier
Vulnerability status
Modified
Published
2021-03-29T20:15:13.077
4 years agoLast modified
2024-08-04T17:15:53.933
11 months ago