Security Notifications

Apache Commons Text “Text4Shell”

A vulnerability known as Text4Shell (CVE-2022-42889) was recently announced in the Apache Commons Text library. SOTI products do not use the vulnerable library and are not affected by this issue. There is no action required on the part of SOTI customers.

Log4j Vulnerability

A vulnerability was recently announced in the Log4j library. The vulnerability, known as Log4Shell (CVE-2021-44228), has been actively investigated by SOTI’s Security & Compliance Team, since Friday, December 10, 2021. The SOTI ONE Platform makes indirect use of this library, and to date, our investigations have determined no exploitable path to the vulnerability within the SOTI ONE Platform.

Detailed information about the Log4j vulnerability will be updated here as more information becomes available.

Meltdown and Spectre

The Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) vulnerabilities have been featured prominently in both technical and mainstream news. These vulnerabilities exploit flaws in the speculative execution optimization techniques used in the CPUs of most modern computer systems. SOTI has monitored, assessed and patched these vulnerabilities on SOTI's cloud services, which include SOTI MobiControl Cloud. Below is a summary of the precautions SOTI and our cloud hosting partners have taken to protect our customers and partners from these vulnerabilities.

Responding to Meltdown and Spectre requires a comprehensive response that includes the physical processing infrastructure, virtual machine hypervisors and operating systems. SOTI MobiControl Cloud and other SOTI cloud services are hosted on Amazon Web Services' (AWS) EC2 virtual machines. Amazon has released a security bulletin confirming that their EC2 virtual machines are protected from the Meltdown and Spectre vulnerabilities. While Amazon maintains and secures the physical infrastructure, hypervisors and related infrastructure as detailed in their AWS Shared Responsibility Model, SOTI maintains and secures the operating systems running on the EC2 virtual machines. SOTI has responded to Meltdown and Spectre by installing the patches and configuration changes published by Microsoft to protect Microsoft Windows running on the virtual machines from these vulnerabilities. As a result of these precautions, SOTI MobiControl Cloud and other SOTI cloud services are well-protected from Meltdown and Spectre.

Customers running on-premise instances of SOTI MobiControl should apply the necessary Microsoft patches on all Windows machines or virtual machines that are running SOTI MobiControl components such as the Management Service, Deployment Service and Enterprise Resource Gateway.

WannaCry Ransomware

The WannaCry exploits a specific vulnerability in Microsoft Windows Server SMB services identified in Microsoft bulletin MS17-010 released on March 14, 2017. The same security bulletin also provided the patches required to resolve and close the vulnerability. WannaCry exploits this vulnerability to enable remote execution of arbitrary code on affected computers by attacking vulnerable Windows Servers using unpatched SMB services running on port 445.

SOTI MobiControl Cloud does not use SMB and therefore disables SMB and blocks port 445. This effectively immunizes SOTI MobiControl Cloud systems from the WannaCry ransomware. SOTI Inc. Administrators have also thoroughly reviewed all SOTI Inc. infrastructure and determined all systems have the required from MS17-010 installed.

DROWN Vulnerability

The recently announced Drown attack is a new technique for reading the contents of secure messages. This vulnerability affects computers that run a type of protection known as SSLv2, and through observation of multiple SSL handshakes followed by repeated connection initiations, could allow an attack to decrypt TLS encrypted cypher text.

On-Premises Customers

Microsoft IIS version 7 and above, and versions 3.13 and above of the NSS crypto library all have SSLv2 disabled by default. You can check if you are vulnerable by visiting https://www.ssllabs.com/ssltest/index.html and entering your server URL.

There is also a test at http://test.drownattack.com. Please note that this test uses cached data, so may not reflect recent patches across all servers.

Instructions for disabling SSLv2 on older IIS versions can be found here: https://support.microsoft.com/en-us/kb/187498.

OpenSSL isn’t part of MobiControl, so should not be an issue for SOTI clients.

Cloud Customers

MobiControl Cloud customers are NOT vulnerable to this this attack.

As part of the setup and hardening process for MobiControl Cloud servers, we ensure all unnecessary protocols are disabled, including SSLv2.

SOTI Services

The systems that host SOTI Services have been patched and are not vulnerable to this type of attack.

Quicksand Vulnerability

A vulnerability was recently discovered in the Sandbox_profiles component included in versions of Apple iOS before 8.4.1. The vulnerability, dubbed Quicksand, enables an attacker to bypass the third-party app-sandbox protection mechanism and read arbitrary managed preferences via a crafted app. This vulnerability affects only those customers who use MobiControl to distribute apps that use the "Managed App Configuration" setting to configure and store private settings and information.

This vulnerability has been patched in iOS 8.4.1 issued on August 13, 2015. More information about this vulnerability can be found here and here.

Information about the security content of iOS 8.4.1 can be found here.

Customers should ensure that all iOS devices managed by MobiControl are upgraded to iOS 8.4.1.

Logjam

On May 19, 2015 a team of researchers announced the discovery of a flaw in the Transport Layer Security (TLS) cryptographic protocol used to protect many web sites and email servers. The vulnerability, dubbed Logjam, involves the Diffie-Hellman key-exchange protocol used in TLS. It enables a man-in-the-middle attacker to force a server to use weaker export-grade cryptography. More information about the Logjam vulnerability is available here.

MobiControl Cloud and SOTI Services customers are not affected by this vulnerability, and no action is required on their part.

VENOM

On May 13, 2015 the discovery of a buffer overflow bug, dubbed VENOM, was announced. The bug resides in the code for a low-level floppy disk controller used in the Xen, KVM, and native QEMU virtual machine platforms. The bug could enable an attacker to escape from a protected guest environment to the host operating system, and from there to potentially attack and compromise other virtual machines. More information about the vulnerability (CVE-2015-3456) is available here.

MobiControl Cloud and SOTI Services customers are not affected by this vulnerability, and no action is required on their part. Both MobiControl Cloud and the SOTI Services are hosted on Amazon Web Services, which were patched by Amazon before the public announcement.

FREAK Vulnerability

A vulnerability has been discovered in several implementations of the SSL/TLS protocols used to secure many web sites. This vulnerability, known as FREAK (Factoring RSA Export Keys), would enable a man-in-the-middle attack to force a web browser into using weaker 'export-grade' encryption to communicate with a web server. The weaker encryption could be cracked by an attacker within a few hours.

The FREAK vulnerability does not affect MobiControl directly but does affect the Microsoft Windows operating systems on which MobiControl systems are hosted.

On-premise Customers

Microsoft has issued a security update for currently supported versions of Windows, and customers should apply this update to their systems as soon as possible. See Microsoft Security Bulletin MS15-031 for more information about the update.

Cloud Customers

Cloud customers are not affected by this vulnerability.

SOTI Services

The systems that host the SOTI Services have been updated and are no longer affected by this vulnerability.

GHOST Vulnerability

On January 27, 2015 a heap-based buffer overflow bug, commonly known as 'GHOST', was discovered in the gethostbyname() functions in the glibc library. glibc is the GNU implementation of the C standard library, and is included in most Linux distributions. More information about this vulnerability can be found here.

No SOTI products use the glibc library, and SOTI's infrastructure is not affected. Also note that glibc is not included in Windows, iOS or Android by default. If you do not use the glibc library on any of your systems, then no action is required.

Schannel

A critical vulnerability has been discovered in the Microsoft Secure Channel (Schannel) security component on Windows.

The vulnerability enables an attacker to remotely execute malicious code on a Windows computer by sending it specially formed packets. All currently supported versions of Windows are affected.

A patch to fix this vulnerability has been issued by Microsoft (KB2992611), and SOTI has applied this patch to all internal and cloud systems running Windows.

We strongly recommend that MobiControl customers apply the patch to their Windows computers as soon as possible.

For more information on the vulnerability, see Microsoft Security Bulletin MS14-066.

SSL Poodle Vulnerability

A vulnerability has been discovered in SSL 3.0 protocol. This vulnerability is known as POODLE (CVE-2014-3566)

SOTI MobiControl utilizes the implementation of SSL and TLS provided by Microsoft in the Windows operating system. It is recommended by Microsoft that SSL 3.0 support be disabled to protect your enterprise against POODLE.

SOTI MobiControl cloud customers are unaffected as remediation has been performed to address this exploit.

SOTI MobiControl customers with in premise may be affected if SSL 3.0 is enabled:

If the Windows operating system on the machine where MobiControl is installed has SSL 3.0 support disabled, then your system is not affected, and no action is required
If the Windows operating system on the machine where MobiControl is installed has SSL 3.0 support enabled then your system may be at risk to this vulnerability.
This vulnerability can be mitigated on the server side by modifying the Windows registry. For more information on Microsoft’s resolution please see the Microsoft Security Advisory

Potential impacts of disabling SSL 3.0:

Internet Explorer (IE) 6.0 does not support TLS v1.0 and above. If you are using IE 6.0 to view the MobiControl web console, you will need to use a more recent browser version in order to have protection against this vulnerability
Older versions of the Windows CE, Windows Pocket PC (Pocket PC 2000, Handheld PC 2000, Pocket PC 2002 and Smartphone 2002), do not support TLS v1.0. As a result, disabling support for SSL 3.0 is not an option for customers using these devices.

SOTI continues to remain committed to protecting your enterprise and your users against the latest threats in enterprise mobility.

ShellShock

SOTI MobiControl helps enterprises protect against vulnerabilities in operating systems that can affect your enterprise’s day-to-day technology-driven operations.

Most recently, a new vulnerability has been found that affects most versions of the Linux and Unix operating systems. Known as “ShellShock” or “Bash Bug”, this security threat gives attackers the ability to take over your enterprise’s computers and mobile devices. This vulnerability is a command-line shell processor that could allow an attacker to take complete control of technology that uses the Bourne-Again Shell (bash).

SOTI customers are UNAFFECTED. SOTI MobiControl and all affiliated SOTI Services are not affected by the ShellShock vulnerability.

MobiControl is used to manage, secure and control mobile devices, which run a number of operating systems. These are the devices that organizations rely upon for critical business operations, and it is paramount for them to remain secure at all times. Those operating systems include iOS, Android, and Windows. None of these operating systems are subject to this vulnerability, unless they have been rooted as described below. As SOTI MobiControl has the ability to identify and take automatic action against rooted, jail-broken devices, MobiControl can secure the organization against the threat.

Windows: NOT AFFECTED - Windows operating systems are not directly affected by this vulnerability since only Unix based operating systems are affected.

Android: NOT AFFECTED – Android devices run a Linux based operating system, and are NOT affected by this vulnerability as long as this operating system has not been rooted, and the vulnerable version of Bash has not been installed and exposed.

iOS: NOT AFFECTED – iOS devices run a Unix based operating system, and are NOT affected by this vulnerability, as long as this operating system has not been jail-broken, and the vulnerable version of Bash has not been installed and exposed.

SOTI continues to remain committed to protecting your enterprise and your users against existing and emerging threats in enterprise mobility.

If you have any questions, please feel free to contact support@soti.net

Heartbleed

Heartbleed, a security threat targeting organizations that have trusted OpenSSL to protect their data, has allowed hackers to steal data from approximately 15% of websites via an OpenSSL encryption flaw.

The good news for SOTI customers is that hosted websites and services do not make use of OpenSSL, and are not vulnerable to this threat.

The list of unaffected SOTI products and services include:

SOTI Website
SOTI Services
SOTI electronic payment (3rd party) web pages
SOTI MobiControl (Servers and Agents)

We continue to monitor the impact and risks of the Heartbleed virus and will provide further updates as available.

If you have any questions, please feel free to contact support@soti.net