Advisory: Sophos Mobile Control - vulnerability found in JBoss

  • Article ID: 119987
  • Rating:
  • 4 customers rated this article 5.5 out of 6
  • Updated: 17 Dec 2014

A vulnerability has been found in the version of JBoss used by Sophos Mobile Control (SMC). The JBoss server could be altered remotely to execute code and gain full access to the file system.

For more detailed information about JBoss and this vulnerability, refer to the section Additional information/FAQs below.

Applies to the following Sophos product(s) and version(s)

Sophos Mobile Control 3.5
Sophos Mobile Control 3.0
Sophos Mobile Control 2.5.0

Fixed in 
Sophos Mobile Control 3.6

Operating systems
All Windows Servers

What To Do

To avoid the exploit from being executed, we strongly recommend that you do the following:

  1. Stop the SMC Service (SMCSVC).
  2. Delete the folder: %MDM_HOME%\jboss\server\mdm\deploy\http-invoker.sar
    Important: Do not rename this folder. You must delete it.
  3. Start the SMC Service (SMCSVC)

As of SMC version 3.6 this issue will be fixed. You should upgrade to version 3.6 as soon as possible after it is released. According to the current plan, we hope to release SMC v 3.6 on or about 14 November 2013.

Additional information/FAQs

What is JBoss?
JBoss is the underlying Java application server which is used by SMC. 

What exactly does the vulnerability allow an attacker to do?
The JBoss server could be altered remotely to execute code and gain full access to the file system. It does this by running code on the server using the same permissions as those JBoss is running under.

Does this mean that an attacker can gain remote execution for most of our SMC installations?
Yes

For a typical customer configuration, is this vulnerability exposed over the internet?
Yes

Does the fix described above (of deleting the folder) completely remove the vulnerability?
Yes

How was the vulnerability reported?
The vulnerability was reported to Security Focus on October 15, and Sophos has just become aware of it.

Have any exploits been reported yet?
No

What action has Sophos taken to protect us against this vulnerability?

  • Sophos has fixed the vulnerability in the forthcoming version 3.6. 
  • We have identified a quick fix (described above) to remove it from current versions.
  • We advise all customers to implement this fix immediately.This will prevent the exploit from being executed.
  • We also recommend that you upgrade to version 3.6 as soon as possible after it is released.

 

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments