VMware addresses a critical remote code execution vulnerability in AirWatch Agent

Haythem Elmir
0 1
Read Time1 Minute, 49 Second

VMware has found a critical remote code execution vulnerability in the AirWatch Agent applications for Android and Windows Mobile.

The agent is installed by users on a mobile device in order to allow the AirWatch to manage it.

The flaw, tracked as CVE-2018-6968, “may allow for unauthorized creation and execution of files in the Agent sandbox and other publicly accessible directories such as those on the SD card by a malicious administrator.”

“Due to an authorization flaw in the real-time File Manager capability for Android and Windows Mobile devices and Registry Manager for Windows Mobile devices, it is possible for a remote attacker with knowledge of specific enrolled devices within an AirWatch instance to add or remove files from a device, remotely execute commands on the device, or modify or set Registry Key values for Windows Mobile devices that are configured to use AirWatch Cloud Messaging (AWCM).” reads the advisory published by VMware.

“This vulnerability is identified by CVE-2018-6968 and is documented in VMSA-2018-0015” 

“The attacker does not need access to the Workspace ONE UEM Console. Access to read and store files on Android devices is limited to files within the Agent sand­­box and other publicly accessible directories such as those on the SD card. Access to files on Windows Mobile/CE devices involves the entire device directory,” it added.

VMware airwatch

VMware has addressed the flaw with the release of version 8.2 for Android and 6.5.2 for Windows Mobile, iOS version of the VMware AirWatch agent is not impacted.

Experts also provided a workaround for Android users who can choose C2DM/GCM instead of AWCM as their preferred push notification service.

The security updates address the vulnerability by disabling the flawed file, task, and registry management capabilities. VMware will deprecate the functionality in the next months.

“Through mitigation of this security vulnerability, the File, Task & Registry Management capabilities built into AWCM will be disabled in current SaaS environments over the coming weeks. Additionally, this functionality will be deprecated in future releases of the Workspace ONE UEM Console.”

 

To read the original article:

https://securityaffairs.co/wordpress/73452/hacking/airwatch-agent-rce.html

Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
100 %

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%

Laisser un commentaire

Next Post

Satori botnet is back again, experts observed a surge in port scan activity associated with it

This week, security experts observed a surge in port 8000 scan activity, researchers at  Qihoo 360 Netlab determined that the unusual activity was associated with Satori IoT botnet. Experts from Qihoo 360 Netlab discovered that the author of the Satori botnet have integrated a the proof-of-concept (PoC) code for the XionMai web server software package after it was […]