Possible Information Disclosure in MobileIron for Android
History:
- 28/07/2022 --- v1.0 -- Initial publication
Summary
The problem affects Android users using MobileIron and having Use smart send option enabled in Email+ client. When User A forwards/replies email to User B, User B receives a different email body instead of original email.
This could lead to information disclosure especially in case of receipients being outside of the sender's organisation.
Technical Details
The issue is related to SmartForward/SmartReply. When such feature is in use (offered by Activesync protocol), it allows client to forward messages without retrieving the full, original message from the server on client. Client will send only user's added text and tells Exchange server to send the full text of the original message from server [1].
To do so, client will request Exchange server to look for original email, e.g. with the ServerID X. If somehow ServerID X is used for another email, we will have such issue:
A user of email+ tries to forward
email AwithserverID Xduring sync process, after syncemail Awill haveServerID Y, andServerID Xwill be reused for anotheremail B. Since sync is already in progress server thinks that we already use new ServerIDs and forwardemail Binstead ofemail A.
Affected Products
The following product versions are affected:
- Android email+ all versions
Workaround
To disable SmartForward/SmartReply: From email+ client > settings > disable Use smart send
To disable sSmartForward/SmartReply as a configuration option, you can use the following key/value pairs:
- For email+ version 3.1.1 and higher:
Use the
disabled_featureskey, and include the valuesmart_send.
- For email+ version 2.18 and higher:
Use the
enabled_featureskey, and include the valuedisable_smart_send.
References
[1] https://forums.ivanti.com/s/article/When-forwarding-mail-random-email-body-is-sent?language=en_US