AirWatch Tunnel Proxy (Legacy Mobile Access Gateway Proxy) reachability vulnerability
AirWatch is contacting you to make you aware of a vulnerability related to a reachability check in the iOS SDK. Customers using the AirWatch Tunnel Proxy [Legacy MAG Proxy] with AirWatch Browser, custom-built SDK apps, and wrapped applications are affected.
The vulnerability involves a reachability test which induces the AirWatch Tunnel Proxy [Legacy MAG Proxy] to make a connection to a test domain. The request includes an HTTP payload containing no sensitive information. In the current implementation, this test domain is not a domain that exists. As a result, if an entity determined that connections were being made to this domain, and then registered that domain, enrolled devices would connect to the domain controlled by the third-party.
Although no data would be exchanged, the affected device’s IP address would be disclosed to the entity controlling the domain since connection requests are typically logged. AirWatch believes this information leakage presents a minimal risk to our customers, as no actual data is included in the payload, and no data is included in the response. AirWatch takes our customer’s privacy seriously, and as a result we have taken the following steps:
- Release a patch for the AirWatch Tunnel Proxy which blocks the reachability URL used by the AirWatch SDK;
- Release a patch for the iOS SDK which modifies the reachability test to ensure a third-party domain is not used.
What you need to know.
If you are running a supported version (8.1+) of the AirWatch solution, a Feature Pack will be made available with the AirWatch Tunnel Proxy fix. Please consult the release notes for upcoming Feature Packs for additional details.
iOS SDK 5.9.1 will include modification of the reachability test to prevent connecting to third-party domains. Please consult the iOS SDK release notes for additional details on changes to the SDK.