Vulnerability Note VU#464683
Xelex Technologies MobileTrack contains multiple vulnerabilities
Xelex Technologies' MobileTrack application has been reported to not verify the source of administrative SMS commands. An unauthenticated remote attacker can send commands over SMS to MobileTrack. User data is also exposed on an insecure FTP server account.
The website for MobileTrack states:
"MobileTrack is a real-time mobile application platform that empowers organizations and individuals through Mobile Resource Management solutions. Customers can have visibility and control based on where a phone is located and how it is being used in real-time. With permission granted, a simple-to-install phone client is loaded directly onto a mobile smart phone and customers can quickly gain control of their mobile operations."
CVE-2012-2562: Lack of authentication for administrative SMS commands
It has been reported that the source of SMS commands are not verified (CWE-306). An unauthenticated remote attacker that knows the phone number of a device with MobileTrack installed can run commands over SMS as if they were the administrator. Some of the available commands that would be useful to an attacker are TERM and WIPE. TERM uninstalls the application and WIPE will wipe the entire phone.
CVE-2012-2567: Information exposure on insecure non-default FTP account
MobileTrack also contains an information exposure vulnerability for a non-default configuration that uses FTP instead of HTTPS. Although it is not the default, a MobileTrack system administrator may inadvertently create a situation where user data is stored on Xelex's FTP server using the same username and password for all MobileTrack users (CWE-200). The data on the FTP server is automatically removed from the directory after upload so the window of opportunity for an attacker to copy the data is small. Test credentials are hard coded (CWE-798) into the MobileTrack application and data is transferred unencrypted (CWE-311) over FTP if the default HTTPS option is not used. The vendor has stated the hard-coded test credentials are not actively used in the application.
Additional details may be found in Mobile Defense's security advisory.
The CVSS score below applies to CVE-2012-2562.
An unauthenticated remote attacker may be able to uninstall the application or wipe the device. If FTP is used, user data on Xelex's FTP server may be exposed.
Apply an Update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Xelex||Affected||08 May 2012||21 May 2012|
CVSS Metrics (Learn More)
Thanks to the Mobile Defense Threat Research Team for reporting this vulnerability.
This document was written by Jared Allar.
- CVE IDs: CVE-2012-2562 CVE-2012-2567
- Date Public: 21 May 2012
- Date First Published: 21 May 2012
- Date Last Updated: 29 Jul 2014
- Document Revision: 49
If you have feedback, comments, or additional information about this vulnerability, please send us email.