=====================================================================

                                 CERT-Renater

                      Note d'Information No. 2023/VULN535

_____________________________________________________________________

DATE                : 13/12/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running VMware Workspace ONE Launcher
                                 versions prior to 23.11.

=====================================================================
https://www.vmware.com/security/advisories/VMSA-2023-0027.html
_____________________________________________________________________


Moderate

Advisory ID: VMSA-2023-0027
CVSSv3 Range: 6.3
Issue Date: 2023-12-12
Updated On: 2023-12-12 (Initial Advisory)
CVE(s): CVE-2023-34064
Synopsis: VMware Workspace ONE Launcher updates addresses privilege
escalation vulnerability. (CVE-2023-34064)


1. Impacted Products

   o VMware Workspace ONE Launcher


2. Introduction

A privilege escalation vulnerability in VMware Workspace ONE Launch
was responsibly reported to VMware. Updates are available to
remediate this vulnerability in affected VMware products.


3. Privilege Escalation Vulnerability

Description

Workspace ONE Launcher contains a Privilege Escalation Vulnerability.
VMware has evaluated the severity of this issue to be in the Moderate
severity range  with a maximum CVSSv3 base score of 6.3.

Known Attack Vectors

A malicious actor with physical access to Workspace ONE Launcher could
utilize the Edge Panel feature to bypass setup to gain access to
sensitive information.

Resolution

To remediate CVE-2023-34064 apply the updates listed in the 'Fixed
Version' column of the 'Response Matrix' below.

Workarounds

None.

Additional Documentation

None.

Notes

None.


Acknowledgements

VMware would like to thank Bartek Pszczola of Defendable for
reporting this issue to us.


Response Matrix

Product   Version   Running On  CVE Identifier   CVSSv3   Severity
Version Fixed   Workarounds   Additional
                                                            Workspace 
ONE Launcher  23.x   Android   CVE-2023-34064 6.3 moderate   23.11   N/A 
    None


VMware Workspace ONE Launcher  22.x    Android   CVE-2023-34064
6.3   moderate    23.11     N/A      None



4. References

Fixed Version(s) and Release Notes:

VMware Workspace ONE Launcher 23.11 Release Notes


Downloads and Documentation

https://my.workspaceone.com/products/Workspace-ONE-Launcher/Android/v23.11/
awall

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/
vmware-workspace-one-launcher-for-android-release-notes/index.html



Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34064


FIRST CVSSv3 Calculator:

CVE-2023-34064: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H


5. Change Log

2023-12-12 VMSA-2023-0027

Initial security advisory.


6. Contact

E-mail: security@vmware.com


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================