VMware addresses a critical remote code execution vulnerability in AirWatch Agent

VMware has found a critical remote code execution vulnerability in the AirWatch Agent applications for Android and Windows Mobile.

The agent is installed by users on a mobile device in order to allow the AirWatch to manage it.

The flaw, tracked as CVE-2018-6968, “may allow for unauthorized creation and execution of files in the Agent sandbox and other publicly accessible directories such as those on the SD card by a malicious administrator.”

“Due to an authorization flaw in the real-time File Manager capability for Android and Windows Mobile devices and Registry Manager for Windows Mobile devices, it is possible for a remote attacker with knowledge of specific enrolled devices within an AirWatch instance to add or remove files from a device, remotely execute commands on the device, or modify or set Registry Key values for Windows Mobile devices that are configured to use AirWatch Cloud Messaging (AWCM).” reads the advisory published by VMware.

“This vulnerability is identified by CVE-2018-6968 and is documented in VMSA-2018-0015” 

“The attacker does not need access to the Workspace ONE UEM Console. Access to read and store files on Android devices is limited to files within the Agent sand­­box and other publicly accessible directories such as those on the SD card. Access to files on Windows Mobile/CE devices involves the entire device directory,” it added.

VMware has addressed the flaw with the release of version 8.2 for Android and 6.5.2 for Windows Mobile, iOS version of the VMware AirWatch agent is not impacted.

Experts also provided a workaround for Android users who can choose C2DM/GCM instead of AWCM as their preferred push notification service.

The security updates address the vulnerability by disabling the flawed file, task, and registry management capabilities. VMware will deprecate the functionality in the next months.

“Through mitigation of this security vulnerability, the File, Task & Registry Management capabilities built into AWCM will be disabled in current SaaS environments over the coming weeks. Additionally, this functionality will be deprecated in future releases of the Workspace ONE UEM Console.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –BeC, Operation WireWire)

[adrotate banner=”5″]

[adrotate banner=”13″]