IBM patched a hole in its Endpoint Manager for Mobile Devices that allows attackers to gain remote access and compromise connected mobile devices.
During a penetration test, RedTeam Pentesting discovered the basis of several IBM Endpoint Manager Components is with on Ruby on Rails and it uses static secret_token values, according to a blog.
“With these values, attackers can create valid session cookies containing marshalled objects of their choosing. This can end up leveraged to execute arbitrary code when the Ruby on Rails application unmarshals the cookie,” said researchers in a blog post.
Versions of IBM’s product prior to 9.0.60100 are vulnerable.
Affected components include enrollment and Apple iOS management extender; mobile device management self-service portal; mobile device management admin portal, and trusted service provider.
“IBM Endpoint Manager for Mobile Devices provides a completely integrated approach for managing, securing, and reporting on laptops, desktops,servers, smartphones, tablets, and even specialty devices such as point-of-sale terminals. This provides customers with unprecedented real-time visibility and control over all devices employees use in their daily job functions; reducing costs, increasing productivity, and improving compliance,” said he vendor’s homepage.