CVE-2021-3391

Vulnerability

The Mobile@Work mobile application, up to versions released before 2021-03-22, exposes a user enumeration vulnerability through its authentication mechanism. By sending repeated login attempts with different usernames, an attacker can distinguish between valid, disabled, and nonexistent accounts based on the number of failed attempts required to trigger a "Lockout" error message [1][2]. No authentication is required to initiate the enumeration.

Exploitation

An unauthenticated attacker can leverage the MobileIron authentication endpoint, discoverable via the hardcoded API key in the Mobile@Work agent [1], to submit login requests. Using a tool such as rustyIron [2], the attacker systematically attempts usernames and observes the response. Valid accounts will lock after a specific number of failed attempts (e.g., 5), disabled accounts may lock after a different number, and nonexistent accounts may never lock or produce a different error. The attacker can script this process to enumerate active users.

Impact

Successful exploitation allows an attacker to build a list of valid and disabled user accounts on the MobileIron MDM platform. This information can be used in further attacks, such as targeted password spraying or brute-force attacks against known valid accounts, potentially leading to unauthorized access to corporate resources managed by MobileIron.

Mitigation

As of the publication date (2021-03-29), no official patch has been released by MobileIron/Ivanti to address this specific enumeration vector. The vulnerability exists in Mobile@Work versions through 2021-03-22. Users can mitigate the risk by disabling MobileIron discovery services and restricting access to the authentication endpoint [1]. Monitoring failed login attempts and implementing additional rate limiting on the server side may also reduce the impact. No CVE-specific patch has been identified.