VMSA-2017-0001
AirWatch updates address bypass of root detection and local data encryption
VMware Security Advisory
1. Summary
AirWatch updates address bypass of root detection and local data encryption
2. Relevant Products
- Airwatch Agent
- Airwatch Console
- AirWatch Inbox
3. Problem Description
a. Root detection bypass
Airwatch Agent for Android contains a vulnerability that may allow a device to bypass root detection. Successful exploitation of this issue may result in an enrolled device having unrestricted access over local Airwatch security controls and data.
VMware would like to thank Finn Steglich from SySS GmbH for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4895 to this issue.
Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
VMware Product
Product Version
Running on
Severity
Replace with/ Apply Patch
Mitigation/ Workaround
b. Local data encryption bypass
Airwatch Inbox for Android contains a vulnerability that may allow a rooted device to decrypt the local data used by the application. Successful exploitation of this issue may result in an unauthorized disclosure of confidential data.
VMware would like to thank Finn Steglich from SySS GmbH for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4896 to this issue.
Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
VMware Product
Product Version
Running on
Severity
Replace with/ Apply Patch
Mitigation/ Workaround
*To remediate this vulnerability, Pin-Based Encryption (PBE) must be enabled. This feature was introduced in the versions of the Airwatch Console and Inbox listed in the table above. PBE is also available in many other Airwatch applications. For more information on PBE please see: https://support.air-watch.com/articles/115002156907
4. Solution
Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
Airwatch Agent for Android
Downloads and Documentation:
https://play.google.com/store/apps/details?id=com.airwatch.androidagent&hl=en
Airwatch Inbox for Android
Downloads and Documentation:
https://play.google.com/store/apps/details?id=com.airwatch.email&hl=en
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org
E-mail: security@vmware.com
PGP key at:
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Copyright 2017 VMware Inc. All rights reserved.