VMSA-2017-0001

AirWatch updates address bypass of root detection and local data encryption

VMware Security Advisory
 
VMware Security Advisory Advisory ID:
 VMSA-2017-0001
VMware Security Advisory Severity:
 Important
VMware Security Advisory Synopsis:
 AirWatch updates address bypass of root detection and local data encryption
VMware Security Advisory Issue date:
 2017-01-30
VMware Security Advisory Updated on:
2017-01-30 (Initial Advisory)
VMware Security Advisory CVE numbers:
CVE-2017-4895, CVE-2017-4896
 
1. Summary

AirWatch updates address bypass of root detection and local data encryption

 
2. Relevant Products
  • Airwatch Agent
  • Airwatch Console
  • AirWatch Inbox
 
3. Problem Description

a. Root detection bypass

 

Airwatch Agent for Android contains a vulnerability that may allow a device to bypass root detection. Successful exploitation of this issue may result in an enrolled device having unrestricted access over local Airwatch security controls and data.
 

VMware would like to thank Finn Steglich from SySS GmbH for reporting this issue to us.  

 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4895 to this issue.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Severity
Replace with/ Apply Patch
Mitigation/ Workaround
VMware Product Airwatch Agent
Product Version x.x
Running on Android
Severity Important
Replace with/ Apply Patch 7.0
Mitigation/ Workaround None


b. Local data encryption bypass

Airwatch Inbox for Android contains a vulnerability that may allow a rooted device to decrypt the local data used by the application. Successful exploitation of this issue may result in an unauthorized disclosure of confidential data.

VMware would like to thank Finn Steglich from SySS GmbH for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4896 to this issue.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Severity
Replace with/ Apply Patch
Mitigation/ Workaround
VMware Product Airwatch Console
Product Version x.x
Running on Android
Severity Important
Replace with/ Apply Patch 9.0 FP1*
Mitigation/ Workaround KB115002293928
VMware Product Airwatch Inbox
Product Version x.x
Running on Android
Severity Important
Replace with/ Apply Patch 2.12*
Mitigation/ Workaround KB115002293928


*To remediate this vulnerability, Pin-Based Encryption (PBE) must be enabled. This feature was introduced in the versions of the Airwatch Console and Inbox listed in the table above. PBE is also available in many other Airwatch applications. For more information on PBE please see: https://support.air-watch.com/articles/115002156907

4. Solution


Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.


Airwatch Agent for Android
Downloads and Documentation:
https://play.google.com/store/apps/details?id=com.airwatch.androidagent&hl=en

Airwatch Inbox for Android
Downloads and Documentation:
https://play.google.com/store/apps/details?id=com.airwatch.email&hl=en

6. Change log

 

2017-01-30: VMSA-2017-0001
Initial security advisory.

7. Contact

 

E-mail list for product security notifications and announcements:

http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 

This Security Advisory is posted to the following lists:

security-announce@lists.vmware.com

bugtraq@securityfocus.com

fulldisclosure@seclists.org

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055

 

VMware Security Advisories

http://www.vmware.com/security/advisories

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2017 VMware Inc. All rights reserved.