Big Blue patches big blooper in Endpoint Manager for mobes
Hole means bad guys could manage your mobile devices for you
Big Blue has patched a serious hole in its Endpoint Manager for Mobile Devices that allows attackers to gain remote access and compromise connected mobes.
Endpoint Manager appears to have been written with Ruby, and the (flaw) means "attackers can create valid session cookies containing marshalled objects of their choosing," according to chaps at RedTeam Pentesting who have posted about the problem. "This can be leveraged to execute arbitrary code when the Ruby on Rails application unmarshals the cookie," their post says.
Versions of IBM's product prior to 9.0.60100 are vulnerable.
Affected components include enrollment and Apple iOS management extender; mobile device management self-service portal; mobile device management admin portal, and trusted service provider. ®