CVE-2020-15505: 
NixOS vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2020-15505) was discovered in MobileIron Core & Connector, affecting versions 10.3.0.3 and earlier, 10.4.0.0-10.4.0.3, 10.5.1.0, 10.5.2.0, and 10.6.0.0, as well as Sentry versions 9.7.2 and earlier, and 9.8.0, and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier. The vulnerability was initially reported by Orange Tsai from DEVCORE on April 3, 2020, and MobileIron released patches on June 15, 2020 (MobileIron Blog, Perch Security).

The vulnerability exists in a Tomcat Web Service that deserializes user input with Hessian format. The vulnerable endpoints are located on both the user enrollment interface (https://mobileiron/mifs/services/) and management interface (https://mobileiron:8443/mics/services/). While the deserialization can only be reached through the management interface, attackers can bypass access controls by exploiting inconsistencies between Apache and Tomcat using specific URL patterns. The vulnerability received a CVSS v3 score of 9.8 (CRITICAL) (Perch Security).

The vulnerability allows remote attackers to execute arbitrary code without authentication, potentially leading to complete system compromise. This can enable attackers to gain access to internal networks, as demonstrated when the vulnerability was used to infiltrate Facebook's internal network through their MDM server. The National Security Agency identified this vulnerability as one of the top 25 vulnerabilities exploited by Chinese state-sponsored hackers (Perch Security).

MobileIron released patches for all affected products on June 15, 2020. For MobileIron Core & Enterprise Connector, users should apply one of the following patches: v10.3.0.4, v10.4.0.4, v10.5.1.1, v10.5.2.1, v10.6.0.1, or update to a later version. For Sentry, apply patches v9.7.3 or v9.8.1. For Monitor and Reporting Database (RDB), apply patch v2.0.0.2. MobileIron strongly recommends customers apply these patches immediately (MobileIron Blog).

The vulnerability gained significant attention after it was used to breach Facebook's internal network as part of their bug bounty program. According to MobileIron's estimates, they have approximately 20,000 clients, though internet scans revealed only about 5,000 MobileIron servers, with more than 60% of them being patched. The company reported that 90-95% of all devices are now managed on patched/updated versions of their software (Perch Security, MobileIron Blog).