1. Home
  2. Mobile App Vulnerabilities
  3. How to remediate – MaaS360 Settings
Searching...

How to remediate – MaaS360 Settings

Contents

1. Introduction

The MaaS360 Settings plugin configures credentials for checking mobile devices using MaaS360. Incorrectly configured settings could allow unauthorized access to device data and management functions. This affects systems that use the MaaS360 platform for Mobile Device Management (MDM). A compromise of these settings may impact the confidentiality, integrity, and availability of managed devices.

2. Technical Explanation

The vulnerability lies in how the plugin initializes credentials used by Web Services API checks within scan policies. The credentials are stored as part of the scan policy configuration. An attacker gaining access to a scan policy could potentially modify or view these credentials, enabling them to interact with MaaS360 as an authorized user. There is no known CVE associated with this specific plugin setting issue. A realistic example would be an internal actor modifying the credentials within a scan policy to gain unauthorized access to managed devices.

  • Root cause: Credentials for MaaS360 checks are stored in plain text within scan policies.
  • Exploit mechanism: An attacker with sufficient privileges modifies the credentials section of a scan policy, then uses those credentials to access the MaaS360 Web Services API.
  • Scope: Systems using the MaaS360 platform and utilizing the plugin for mobile device checks are affected.

3. Detection and Assessment

Confirming vulnerability involves checking scan policy configurations for exposed credentials. A quick check is to review existing scan policies, while a thorough method requires examining all policies for credential details.

  • Quick checks: Review the ‘Credentials’ section of each scan policy in the MaaS360 console.
  • Scanning: No specific signature IDs are available for this vulnerability.
  • Logs and evidence: Audit logs within the MaaS360 platform may show modifications to scan policies, specifically changes to the credentials section.

4. Solution / Remediation Steps

Fixing this issue involves securing the credentials used in MaaS360 scan policies.

4.1 Preparation

  • Ensure you have appropriate permissions to modify scan policies within MaaS360. A roll back plan involves restoring the backed-up scan policy configuration if needed.
  • Change windows are generally not required, but approval from a security team may be advisable.

4.2 Implementation

  1. Step 1: Log in to the MaaS360 console with administrative privileges.
  2. Step 2: Navigate to ‘Policies’ and select the scan policy you want to review.
  3. Step 3: Go to the ‘Credentials’ section of the selected scan policy.
  4. Step 4: Verify that credentials are securely stored or consider using a more secure method for credential management, if available within MaaS360.
  5. Step 5: Repeat steps 2-4 for all other scan policies.

4.3 Config or Code Example

Before


Username: admin
Password: password123
-->

After


Username: [Securely stored credential reference]
Password: [Securely stored credential reference]
-->

4.4 Security Practices Relevant to This Vulnerability

List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice. For example: least privilege, input validation, safe defaults, secure headers, patch cadence.

  • Practice 1: Least Privilege – Limit access to scan policy modification to authorized personnel only.
  • Practice 2: Secure Credential Storage – Utilize a dedicated credential management system for storing and retrieving MaaS360 credentials instead of plain text within policies.

4.5 Automation (Optional)


# No applicable automation script exists for direct exposure check. Review scan policy configurations via the MaaS360 console.
-->

5. Verification / Validation

Confirming the fix involves verifying that credentials are securely stored and no longer exposed in plain text within scan policies.

  • Post-fix check: Review the ‘Credentials’ section of each scan policy to ensure credentials are not visible in plain text.
  • Monitoring: Monitor audit logs within MaaS360 for any unauthorized modifications to scan policy configurations.

No applicable command exists for direct exposure check. Review scan policy configurations via the MaaS360 console. Credentials should be masked or referenced securely.
-->

6. Preventive Measures and Monitoring

Suggest only measures that are relevant to the vulnerability type. Use “for example” to keep advice conditional, not prescriptive.

  • Baselines: Update security baselines to include requirements for secure credential storage within MDM platforms like MaaS360.
  • Pipelines: Implement regular audits of scan policy configurations to identify and remediate any exposed credentials.
  • Asset and patch process: Establish a regular review cycle for scan policies, including verification of credential security.

7. Risks, Side Effects, and Roll Back

8. References and Resources

  • Vendor advisory or bulletin: No specific vendor advisory exists for this plugin setting issue. Refer to general MaaS360 security documentation.
  • NVD or CVE entry: No applicable NVD or CVE entry exists for this specific vulnerability.
  • Product or platform documentation relevant to the fix: VMware MaaS360 Documentation
Updated on December 27, 2025

Was this article helpful?

Yes No

Related Articles