Executive Summary

Summary
Title Xelex Technologies MobileTrack contains multiple vulnerabilities
Informations
Name VU#464683 First vendor Publication 2012-05-21
Vendor VU-CERT Last vendor Modification 2012-05-25
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:H/Au:N/C:C/I:C/A:C)
Cvss Base Score 7.6 Attack Range Network
Cvss Impact Score 10 Attack Complexity High
Cvss Expoit Score 4.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#464683

Xelex Technologies MobileTrack contains multiple vulnerabilities

Original Release date: 21 May 2012 | Last revised: 25 May 2012

Overview

Xelex Technologies' MobileTrack application has been reported to not verify the source of administrative SMS commands. An unauthenticated remote attacker can send commands over SMS to MobileTrack. User data is also exposed on an insecure FTP server account.

Description

The website for MobileTrack states:

    "MobileTrack is a real-time mobile application platform that empowers organizations and individuals through Mobile Resource Management solutions. Customers can have visibility and control based on where a phone is located and how it is being used in real-time. With permission granted, a simple-to-install phone client is loaded directly onto a mobile smart phone and customers can quickly gain control of their mobile operations."


CVE-2012-2562: Lack of authentication for administrative SMS commands
It has been reported that the source of SMS commands are not verified (CWE-306). An unauthenticated remote attacker that knows the phone number of a device with MobileTrack installed can run commands over SMS as if they were the administrator. Some of the available commands that would be useful to an attacker are TERM and WIPE.TERM uninstalls the application and WIPE will wipe the entire phone.

CVE-2012-2567: Information exposure on insecure non-default FTP account
MobileTrack also contains an information exposure vulnerability for a non-default configuration that uses FTP instead of HTTPS. Although it is not the default, a MobileTrack system administrator may inadvertently create a situation where user data is stored on Xelex's FTP server using the same username and password for all MobileTrack users (CWE-200). The data on the FTP server is automatically removed from the directory after upload so the window of opportunity for an attacker to copy the data is small. Test credentials are hard coded (CWE-798) into the MobileTrack application and data is transferred unencrypted (CWE-311) over FTP if the default HTTPS option is not used. The vendor has stated the hard-coded test credentials are not actively used in the application.

Additional details may be found in Mobile Defense's security advisory.

Impact

An unauthenticated remote attacker may be able to uninstall the application or wipe the device. If FTP is used, user data on Xelex's FTP server may be exposed.

Solution

Apply an Update
MobileTrack version 2.4 will be released to address these vulnerabilities. In version 2.4, the hard-coded test credentials, as well as, the FTP feature are removed and SMS commands are not accepted directly. A single SMS command will tell MobileTrack to check the server for the specific command that is to be executed. If the server does not contain a command to execute nothing will happen.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
XelexAffected08 May 201221 May 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base7.3AV:N/AC:H/Au:N/C:P/I:C/A:C
Temporal5.6E:U/RL:U/RC:UC
Environmental5.6CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

  • http://www.xelex.net/mobiletrack/
  • http://play.google.com/store/apps/details?id=com.mobiletrack
  • http://blog.mobiledefense.com/2012/05/mobile-defense-finds-two-security-vulnerabilities-in-xelex-mobiletrack/
  • http://cwe.mitre.org/data/definitions/306.html
  • http://cwe.mitre.org/data/definitions/798.html
  • http://cwe.mitre.org/data/definitions/200.html
  • http://cwe.mitre.org/data/definitions/311.html

Credit

Thanks to the Mobile Defense Threat Research Team for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs:CVE-2012-2562CVE-2012-2567
  • Date Public:21 May 2012
  • Date First Published:21 May 2012
  • Date Last Updated:25 May 2012
  • Document Revision:41

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.


This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

Original Source

Url : http://www.kb.cert.org/vuls/id/464683

CWE : Common Weakness Enumeration

% Id Name
33 % CWE-287 Improper Authentication
33 % CWE-255 Credentials Management
33 % CWE-20 Improper Input Validation

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1