what you don't know can hurt you

Microsoft Intune Design Weakness

Microsoft Intune Design Weakness
Posted Mar 20, 2018
Authored by Stephan Sekula

Compass Security discovered a design weakness in Microsoft Intune's iOS Keychain management. This allows users to access company data even after the device has been unenrolled.

tags | advisory
systems | apple, ios
MD5 | 07ee7ba08f913665a8c31f611a99564a

Microsoft Intune Design Weakness

Change Mirror Download
#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product: Microsoft Intune [1]
# Vendor: Microsoft
# CSNC ID: CSNC-2017-026
# Subject: Preserved Keychain Entries
# Risk: Medium
# Effect: Locally exploitable
# Author: Stephan Sekula <stephan.sekula@compass-security.com>
# Date: 31.08.2017
#
#############################################################

Introduction:
-------------
Define a mobile management strategy that fits the needs of your organization. Apply flexible mobile device and app management controls that let employees work with the devices and apps they choose while protecting your company information. [1]

Compass Security discovered a design weakness in Microsoft Intune's iOS Keychain management. This allows users to access company data even after the device has been unenrolled.


Technical Description
---------------------
If a user's device, which is enrolled with their company's MDM, is unenrolled, their Office access tokens are not removed from the iOS Keychain. Furthermore, the respective tokens are not invalidated on the server-side. Therefore, if the user reinstalls Office to their device after unenrollment, they may again obtain full access to the company's files.


Workaround / Fix:
-----------------
This issue can be fixed by invalidating the user's access token on the server- and client-side. In addition, the Keychain items could also be encrypted with a key stored in the app's data directory. Since this key is removed with the data directory on uninstallation of the app, this renders the Keychain entry useless.


Timeline:
---------
2017-08-22 Discovery by Stephan Sekula
2017-09-17 Initial vendor notification
2017-09-18 Initial vendor response
2017-10-04 Asking vendor for update
2017-10-04 Vendor replies that engineers are working on reproducing the issue
2017-11-01 Asking vendor for an update
2017-11-02 Vendor replies - They are waiting for a partner team to respond on the case.
2018-01-08 Asking vendor for update - No response
2018-02-12 Asking vendor for update - No response
2018-03-19 Public disclosure


References:
-----------
[1] https://www.microsoft.com/en-us/cloud-platform/microsoft-intune
Login or Register to add favorites

File Archive:

March 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    19 Files
  • 2
    Mar 2nd
    15 Files
  • 3
    Mar 3rd
    30 Files
  • 4
    Mar 4th
    13 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    0 Files
  • 7
    Mar 7th
    0 Files
  • 8
    Mar 8th
    0 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    0 Files
  • 14
    Mar 14th
    0 Files
  • 15
    Mar 15th
    0 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close