[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Unsubscribe - Re: CSNC-2017-026 Microsoft Intune - Preserved Keychain Entries

To: Advisories <advisories@xxxxxxxxxxxxxxxxxxxx>
Subject: Unsubscribe - Re: CSNC-2017-026 Microsoft Intune - Preserved Keychain Entries
From: Gary Frank <garoo7@xxxxxxxxxxx>
Date: Tue, 20 Mar 2018 22:35:17 +0000

Unsubscribe 

Thanks, Gary
Sent from my iPhone

> On Mar 20, 2018, at 3:03 AM, Advisories <advisories@xxxxxxxxxxxxxxxxxxxx> 
> wrote:
> 
> #############################################################
> #
> # COMPASS SECURITY ADVISORY
> # https://www.compass-security.com/research/advisories/
> #
> #############################################################
> #
> # Product:  Microsoft Intune [1]
> # Vendor:   Microsoft
> # CSNC ID:  CSNC-2017-026
> # Subject:  Preserved Keychain Entries
> # Risk:     Medium
> # Effect:   Locally exploitable
> # Author:   Stephan Sekula <stephan.sekula@xxxxxxxxxxxxxxxxxxxx>
> # Date:     31.08.2017
> #
> #############################################################
> 
> Introduction:
> -------------
> Define a mobile management strategy that fits the needs of your organization. 
> Apply flexible mobile device and app management controls that let employees 
> work with the devices and apps they choose while protecting your company 
> information. [1]
> 
> Compass Security discovered a design weakness in Microsoft Intune's iOS 
> Keychain management. This allows users to access company data even after the 
> device has been unenrolled.
> 
> 
> Technical Description
> ---------------------
> If a user's device, which is enrolled with their company's MDM, is 
> unenrolled, their Office access tokens are not removed from the iOS Keychain. 
> Furthermore, the respective tokens are not invalidated on the server-side. 
> Therefore, if the user reinstalls Office to their device after unenrollment, 
> they may again obtain full access to the company's files.
> 
> 
> Workaround / Fix:
> -----------------
> This issue can be fixed by invalidating the user's access token on the 
> server- and client-side. In addition, the Keychain items could also be 
> encrypted with a key stored in the app's data directory. Since this key is 
> removed with the data directory on uninstallation of the app, this renders 
> the Keychain entry useless.
> 
> 
> Timeline:
> ---------
> 2017-08-22  Discovery by Stephan Sekula
> 2017-09-17  Initial vendor notification
> 2017-09-18  Initial vendor response
> 2017-10-04  Asking vendor for update
> 2017-10-04  Vendor replies that engineers are working on reproducing the issue
> 2017-11-01  Asking vendor for an update
> 2017-11-02  Vendor replies - They are waiting for a partner team to respond 
> on the case.
> 2018-01-08  Asking vendor for update - No response
> 2018-02-12  Asking vendor for update - No response
> 2018-03-19  Public disclosure
> 
> 
> References:
> -----------
> [1] https://www.microsoft.com/en-us/cloud-platform/microsoft-intune

References:
- CSNC-2017-026 Microsoft Intune - Preserved Keychain Entries
  - From: Advisories

Prev by Date: [SECURITY] [DSA 4146-1] plexus-utils security update
Next by Date: Unsubscribe - Re: ES2018-05 Kamailio heap overflow
Previous by thread: CSNC-2017-026 Microsoft Intune - Preserved Keychain Entries
Next by thread: [SECURITY] [DSA 4146-1] plexus-utils security update
Index(es):
- Date
- Thread