VMware plugs RCE hole in remote management agent

VMware has fixed a critical remote code execution vulnerability in VMware AirWatch Agent for Android and Windows Mobile, and is urging users to upgrade to the newest versions of the software (8.2 and 6.5.2, respectively). The iOS version is not affected.

VMware AirWatch Agent is a mobile File Manager application and is part and parcel of the VMware Workspace ONE platform (powered by AirWatch unified endpoint management technology).

About the vulnerability (CVE-2018-6968)

“VMware Workspace ONE UEM currently offers a real-time File Manager for Android and Windows Mobile/CE devices, and Task/Registry Managers for Windows Mobile/CE devices,” the company explained.

“These capabilities are independent of other File & Registry Management capabilities within the AirWatch platform such as Files/Actions through Product Provisioning and the newer File Manager inside Advanced Remote Management. These legacy File, Task & Registry Management features are built upon legacy technologies and have recently been discovered to be impacted by an urgent security vulnerability.”

The vulnerability is an authorization flaw in the real-time File Manager capability for Android and Windows Mobile devices and Registry Manager for Windows Mobile devices.

It can be exploited by remote attackers with knowledge of specific enrolled devices within an AirWatch instance to add or remove files from a device, remotely execute commands on it, or modify or set Registry Key values for Windows Mobile devices that are configured to use AirWatch Cloud Messaging (AWCM).

The offered updates effectively disable File and Registry Management capabilities.

VMware also added that “through mitigation of this security vulnerability, the File, Task & Registry Management capabilities built into AWCM will be disabled in current SaaS environments over the coming weeks” and that the functionality will be deprecated in future releases of the Workspace ONE UEM Console.