VMware has found a critical remote code execution vulnerability in the AirWatch Agent applications for Android and Windows Mobile.
The agent is installed by users on a mobile device in order to allow the AirWatch to manage it.
The flaw, tracked as CVE-2018-6968, “may allow for unauthorized creation and execution of files in the Agent sandbox and other publicly accessible directories such as those on the SD card by a malicious administrator.”
“Due to an authorization flaw in the real-time File Manager capability for Android and Windows Mobile devices and Registry Manager for Windows Mobile devices, it is possible for a remote attacker with knowledge of specific enrolled devices within an AirWatch instance to add or remove files from a device, remotely execute commands on the device, or modify or set Registry Key values for Windows Mobile devices that are configured to use AirWatch Cloud Messaging (AWCM).” reads the advisory published by VMware.
“This vulnerability is identified by CVE-2018-6968 and is documented in VMSA-2018-0015”
“The attacker does not need access to the Workspace ONE UEM Console. Access to read and store files on Android devices is limited to files within the Agent sandbox and other publicly accessible directories such as those on the SD card. Access to files on Windows Mobile/CE devices involves the entire device directory,” it added.
VMware has addressed the flaw with the release of version 8.2 for Android and 6.5.2 for Windows Mobile, iOS version of the VMware AirWatch agent is not impacted.
Experts also provided a workaround for Android users who can choose C2DM/GCM instead of AWCM as their preferred push notification service.
The security updates address the vulnerability by disabling the flawed file, task, and registry management capabilities. VMware will deprecate the functionality in the next months.
“Through mitigation of this security vulnerability, the File, Task & Registry Management capabilities built into AWCM will be disabled in current SaaS environments over the coming weeks. Additionally, this functionality will be deprecated in future releases of the Workspace ONE UEM Console.”
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.