German pen-testers have discovered a vulnerability inside IBM's Tivoli Endpoint Manager mobile device management solution which could leave users vulnerable to cross-scripting.
The MDM solution is used to manage multiple devices in an enterprise setting, including laptops, desktops, smartphones, tablets and point of sale terminals.
According to IBM security bulletin 1691701, the problematic version of the Tivoli MDM does not validate user supplied input properly, making it vulnerable to cross-scripting.
This in turn leaves the MDM solution open to attackers who can run scripts in users' web browsers with specially crafted links, allowing them to capture cookie-based authentication credentials and execute code of their choosing.
Users are advised to upgrade to version 9.0.60100 as no workarounds for the flaw exists.
Components that are vulnerable include the Tivoli Endpoint Manager enrollment and Apple iOS extender, the device management self-service and administration portals, and the trusted service provider.
The flaw was discovered by German penetration testers RedTeam who posted a proof of concept on the Full Disclosure mailing list.
According to the RedTeam advisory, several of the Endpoint Manager components are written in Ruby on Rails and use static secret_token values.
"With these values, attackers can create valid session cookies containing marshalled objects of their choosing.
"This can be leveraged to execute arbitrary code when the Ruby on Rails application unmarshals the cookie," RedTeam wrote.