SCEP Security Vulnerability
A component that most Mobile Device Management (MDM) products use today is the Simple Certificate Enrollment Protocol (SCEP). This was propelled by the use from Apple for iOS 4 devices in 2010, and Cisco and VeriSign who designed it in early 2000. The protocol was designed to make the issuing and revocation of digital certificates as scalable as possible. Especially its usage in MDM solutions for the growing BYOD footprint could be of a concern.
US Computer Emergency Readiness Team (US-CERT) released this Vulnerability Note #971035 on June 27th: http://www.kb.cert.org/vuls/id/971035
It stated: “An attacker could elevate their permissions by requesting a certificate of a different, possibly higher privileged user that would allow them to access resources that they would not otherwise be able to access.”
Certified Security Solutions (CSS) is credited to report the vulnerability and more exact details are documented in their 8-page whitepaper here: http://www.css-security.com/wp-content/uploads/2012/05/SCEP-and-Untrusted-Devices.pdf
A 12 minute video demoing the vulnerability and security overview is available here: http://www.css-security.com/scep/
Mark Diodati from Gartner has pointed out that the following vendors have modified or proxied their SCEP enrollment process so better validation of the distinguished name is performed to better protect against this potential vulnerability:
AirWatch, Good Technology, Fiberlink, MobileIron, and Zenprise
The same can also be said about Silverback MDM, and probably several other vendors. If you are concerned you should ping your vendor and get more details.
But as Ted Shorter from CSS also points out his blog article, even if the various products in use might not be directly affected, it’s important to look at the full solution and what potential risks you may have and how it is implemented.
As the US-CERT posting highlights, the IETF Draft for SCEP has since March 2011 also mentioned other solutions such as Certificate Management Protocol (CMP) [RFC4210] and Certificate Management over CMS (CMC) [RFC5272] that have more comprehensive functionality. And “implementers are encouraged to support one of these comprehensive standards track certificate management protocols in addition to the protocol defined in this specification”.
As the market matures further with Mobile Device Management (MDM) and Enterprise Mobility Management (EMM) I would suspect an increase in functionality and use of newer security standards and processes. With all the MDM products on the market, the top players continue to add features that they hope will differentiate themselves better.