{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-055.pdf"
    },
    "title": "Possible Information Disclosure in MobileIron for Android",
    "serial_number": "2022-055",
    "publish_date": "28-07-2022 14:26:00",
    "description": "The problem affects Android users using MobileIron and having Use smart send option enabled in Email+ client. When \"User A\" forwards/replies email to \"User B\", \"User B\" receives a different email body instead of original email. This could lead to information disclosure especially in case of receipients being outside of the sender's organisation.",
    "url_title": "2022-055",
    "content_markdown": "---\ntitle: 'Possible Information Disclosure in\u00a0MobileIron for Android'\nversion: '1.0'\nnumber: '2022-055'\noriginal_date: 'June 27, 2021'\ndate: 'July 28, 2022'\n---\n_History:_\n\n* _28/07/2022 --- v1.0 -- Initial publication_\n\n# Summary\n\nThe problem affects Android users using **MobileIron** and having _Use smart send_ option enabled in **Email+** client. When `User A` forwards/replies email to `User B`, `User B` receives a different email body instead of original email.\n\nThis could lead to information disclosure especially in case of receipients being outside of the sender's organisation. \n\n# Technical Details\n\nThe issue is related to _SmartForward/SmartReply_. When such feature is in use (offered by Activesync protocol), it allows client to forward messages without retrieving the full, original message from the server on client. Client will send only user's added text and tells Exchange server to send the full text of the original message from server [1]. \n\nTo do so, client will request Exchange server to look for original email, e.g. with the `ServerID X`. If somehow `ServerID X` is used for another email, we will have such issue: \n\n>A user of **email+** tries to forward `email A` with `serverID X` during sync process, after sync `email A` will have `ServerID Y`, and `ServerID X` will be reused for another `email B`. Since sync is already in progress server _thinks_ that we already use new ServerIDs and forward `email B` instead of `email A`.\n\n# Affected Products\n\nThe following product versions are affected:\n\n- Android **email+** all versions\n\n# Workaround\n\nTo disable _SmartForward/SmartReply_:  From **email+** client > settings > disable _Use smart send_ \n\nTo disable s_SmartForward/SmartReply_ as a configuration option, you can use the following key/value pairs: \n\n- For **email+** version 3.1.1 and higher:\n\n>Use the `disabled_features` key, and include the value `smart_send`. \n\n- For **email+** version 2.18 and higher:\n\n>Use the `enabled_features` key, and include the value `disable_smart_send`.\n\n# References\n\n[1] <https://forums.ivanti.com/s/article/When-forwarding-mail-random-email-body-is-sent?language=en_US>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>28/07/2022 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>The problem affects Android users using <strong>MobileIron</strong> and having <em>Use smart send</em> option enabled in <strong>Email+</strong> client. When <code>User A</code> forwards/replies email to <code>User B</code>, <code>User B</code> receives a different email body instead of original email.</p><p>This could lead to information disclosure especially in case of receipients being outside of the sender's organisation. </p><h2 id=\"technical-details\">Technical Details</h2><p>The issue is related to <em>SmartForward/SmartReply</em>. When such feature is in use (offered by Activesync protocol), it allows client to forward messages without retrieving the full, original message from the server on client. Client will send only user's added text and tells Exchange server to send the full text of the original message from server [1]. </p><p>To do so, client will request Exchange server to look for original email, e.g. with the <code>ServerID X</code>. If somehow <code>ServerID X</code> is used for another email, we will have such issue: </p><blockquote><p>A user of <strong>email+</strong> tries to forward <code>email A</code> with <code>serverID X</code> during sync process, after sync <code>email A</code> will have <code>ServerID Y</code>, and <code>ServerID X</code> will be reused for another <code>email B</code>. Since sync is already in progress server <em>thinks</em> that we already use new ServerIDs and forward <code>email B</code> instead of <code>email A</code>.</p></blockquote><h2 id=\"affected-products\">Affected Products</h2><p>The following product versions are affected:</p><ul><li>Android <strong>email+</strong> all versions</li></ul><h2 id=\"workaround\">Workaround</h2><p>To disable <em>SmartForward/SmartReply</em>: From <strong>email+</strong> client &gt; settings &gt; disable <em>Use smart send</em> </p><p>To disable s<em>SmartForward/SmartReply</em> as a configuration option, you can use the following key/value pairs: </p><ul><li>For <strong>email+</strong> version 3.1.1 and higher:</li></ul><blockquote><p>Use the <code>disabled_features</code> key, and include the value <code>smart_send</code>. </p></blockquote><ul><li>For <strong>email+</strong> version 2.18 and higher:</li></ul><blockquote><p>Use the <code>enabled_features</code> key, and include the value <code>disable_smart_send</code>.</p></blockquote><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://forums.ivanti.com/s/article/When-forwarding-mail-random-email-body-is-sent?language=en_US\">https://forums.ivanti.com/s/article/When-forwarding-mail-random-email-body-is-sent?language=en_US</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}