FSEC-182599: AirWatch Console vulnerability through AwHttpProxy endpoint

Version Identified

AirWatch Console 8.1, 8.2, 8.3, 8.4, 9.0

Identifier

FSEC-182599

Symptoms

The AirWatch team has identified a vulnerability in the AirWatch Console which may permit a remote, unauthenticated entity to proxy HTTP requests through the Console server via the “/AwHttpProxy/” endpoint. The response data is then returned to the original requestor. Using this method, it is possible to interact with web servers reachable by the Console server.

Console server log entries will contain the string “/awhttpproxy/”.

Workaround

SaaS: No further action required.

On-premise: Customers with on-premise environments may mitigate this issue by blocking untrusted access to the “/awhttpproxy/” endpoint using a proxy or load balancer.

Customers using the following services who have also made custom modifications to the IIS configuration (e.g. changes to the web.config) should not apply the mitigation steps due to functional impact on the below services.

  • WebDAV
  • SRSS (Reports)
  • Sharepoint

If you are using the above services but have not made custom modifications to the web.config, the mitigation steps may be applied. AirWatch recommends that all customers should plan to upgrade their environments per the resolution steps below as soon as possible.

Resolution

This issue has been resolved in all dedicated-SaaS and shared-SaaS environments on all AirWatch Console versions.  Customers on SaaS environments do not need to take any further action.  If you have a dedicated-SaaS environment that is not running one of the latest AirWatch versions, you can submit an upgrade request through the My Company portal in myAirWatch.

This issue has been fully resolved in AirWatch 8.4.8 and 9.0.1.  For on-premise environments, make sure to take a backup of your server prior to upgrading, and follow our self-upgrade instructions (8.4, 9.0).  You can download the AirWatch 8.4.8 and 9.0.1 software in myAirWatch.

Have more questions? Submit a request

0 Comments

Article is closed for comments.