Left unaddressed, the vulnerability could have allowed attackers to target users or organizations analyzing malicious mobile apps

Developers of the MobSF (Mobile Security Framework) tool have fixed a vulnerability discovered by PT SWARM expert Oleg Surnin. The vendor was notified of the threat in line with the responsible disclosure policy and has already released software patches.

The vulnerability CVE-2024-31215 (BDU:2024-03055) received a CVSS 3.1 score of 6.3. Users are advised to install MobSF version 3.9.8 or later to address the vulnerability.

MobSF is a widely-used tool among developers and security researchers. It is included in popular penetration testing distributions¹ like BlackArch and is trusted by independent experts and companies specializing in mobile app development and penetration testing. The tool is also an integral part of secure development processes.

If the vulnerability had not been fixed, a successful attack would only have required a user to upload a malicious mobile app to MobSF. For example, during incident investigations, cybersecurity professionals might use MobSF to scan suspicious apps, inadvertently exposing themselves to cyberattacks.

Oleg Surnin, Head of Mobile Application Security Research at PT SWARM, noted: "Mobile apps often use Firebase cloud databases, provided by Google as a backend-as-a-service. When analyzing an app, MobSF checks the security of such databases, including whether unauthorized access is possible. An attacker could craft a malicious app in such a way that MobSF, instead of sending legitimate requests to Firebase databases, follows a malicious link prepared by the attacker. This link could redirect MobSF to resources within the investigator's or company's network perimeter. Depending on the software present within the perimeter, the attack could result in code execution, data theft, or other consequences."

Oleg Surnin further noted that such vulnerabilities arise when applications fail to verify the legitimacy of the resources they interact with.

To block exploitation attempts, Positive Technologies recommends using advanced security solutions, including web application firewalls like PT Application Firewall (also available in the cloud version: PT Cloud Application Firewall). To reduce the threat of exploitation, endpoint detection and response (EDR) security solutions like MaxPatrol EDR can also help. MaxPatrol EDR allows you to detect malicious activity, quickly respond to it, send an alert to MaxPatrol SIEM, and prevent attackers from carrying out the attack. To detect vulnerabilities on your assets, you can also use the MaxPatrol VM vulnerability management system. NTA solutions, such as PT Network Attack Discovery, and network traffic analysis tools, like PT NGFW, will help you promptly detect attempts to exploit vulnerabilities within your company's network perimeter.