==================================================================== CERT-Renater Note d'Information No. 2017/VULN353 _____________________________________________________________________ DATE : 17/11/2017 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running VMware AirWatch Console versions 9.x prior to 9.2.0, VMware AirWatch Launcher for Android versions prior to 3.2.2. ===================================================================== https://lists.vmware.com/pipermail/security-announce/2017/000388.html _______________________________________________________________ - ---------------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2017-0016 Severity: Important Synopsis: VMware AirWatch Console and Launcher for Android updates resolve multiple vulnerabilities. Issue date: 2017-11-08 Updated on: 2017-11-08 (Initial Advisory) CVE number: CVE-2017-4930, CVE-2017-4931, CVE-2017-4932 1. Summary VMware AirWatch Console and Launcher for Android updates resolve multiple vulnerabilities. 2. Relevant Products VMware AirWatch Console (AWC) VMware AirWatch Launcher for Android (AWL) 3. Problem Description a. VMware AirWatch Console stored XSS vulnerability VMware AirWatch Console (AWC) contains a vulnerability that could allow an authenticated AWC user to add a malicious URL to an enrolled device’s ‘Links’ page. Successful exploitation of this issue could result in an unsuspecting AWC user being redirected to a malicious URL. VMware would like to thank Nicodemo Gawronski for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4930 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Mitigation/ Product Version on Severity Apply Patch Workaround ========== ========= ======= ========= ============= ========== AWC 9.x Any Moderate 9.2.0+ None b. VMware AirWatch Console CSV file integrity vulnerability VMware AirWatch Console (AWC) contains a vulnerability that could allow an authenticated AWC user to add malicious data to an enrolled device’s log files. Successful exploitation of this issue could result in an unsuspecting AWC user opening a CSV file which contains malicious content. VMware would like to thank Nicodemo Gawronski for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4931 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Mitigation/ Product Version on Severity Apply Patch Workaround ========== ========= ======= ========= ============= ========== AWC 9.x Any Moderate 9.2.0 None c. VMware AirWatch Launcher for Android UI privilege escalation VMware AirWatch Launcher for Android contains a vulnerability that could allow an escalation of privilege from the launcher UI context menu to native UI functionality and privilege. Successful exploitation of this issue could result in an escalation of privilege. VMware would like to thank Igor Shmakov for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4932 to these issues. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Mitigation/ Product Version on Severity Apply Patch Workaround ========== ========= ======= ========= ============= ========== AWL x.x Android Important 3.2.2 None 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. VMware AirWatch Console 9.2.0 Downloads and Documentation: https://support.air-watch.com/articles/115012658907 VMware AirWatch Launcher for Android 3.2.2 Downloads and Documentation: https://my.air-watch.com/products/AirWatch-Launcher/Android/v3.2.2/awall 5. References http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-4930 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-4931 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-4932 - ---------------------------------------------------------------------------- 6. Change log 2017-11-08: VMSA-2017-0016 Initial security advisory in conjunction with the release of VMware AirWatch Launcher for Android 3.2.2 on 2017-11-08. - --------------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2017 VMware Inc. All rights reserved. ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================