Ivanti MobileIron Core versions 10.7.0.1-9 and 11.0.0.1-3 suffer from two restricted shell escape vulnerabilities through the install rpm command present in the clish restricted shell. These issues have been fixed in version 11.1.0.0, released on March 15, 2021.
The first, CVE-2021-3198, is an instance of CWE-78, OS Command Injection via the install rpm url command. The second, CVE-2021-3540, is an instance of CWE-88, Argument Injection, via the install rpm info detail command. Both of these shell escapes require that privileged commands be enabled (through the enable command), so given this elevated access requirement, Rapid7 suggests a CVSS score of 6.0 for both issues.
Product Description
Ivanti MobileIron "enables IT to define security and management policies for mobile devices, desktops, apps, and content." For more about MobileIron Core, please see the vendor's website.
Credit
This issue was discovered by Rapid7 researcher William Vu. It is being disclosed in accordance with Rapid7's vulnerability disclosure policy.
Exploitation
In the course of debugging a service startup issue, Rapid7 researcher William Vu discovered a shell escape in the restricted shell clish — specifically, the rpm subsystem. Two methods of exploiting this vulnerability are detailed here:
CVE-2021-3198: Install RPM URL OS Command Injection
The install rp ..
Support the originator by clicking the read the rest link below.
