On Tuesday December 5, 2017 VMware AirWatch support was made aware of an information disclosure affecting a single customer in a SaaS environment. The information disclosure involved an AirWatch customer coming into contact with another customer’s device details via the AirWatch Admin Console. The information disclosed included the following data elements:
- Device Friendly Name (ex: John’s iPad)
- Username (ex: jsmith)
- Enrollment Type (ex: Employee-owned)
- First Name
- Last Name
- Operating System
- Display Model
- Organization Group
VMware AirWatch discovered no additional instances where customer information was exposed and has already notified the affected customer. As soon as the issue was reported, our teams conducted an analysis to understand the impact of the issue and began working on patches for supported versions.
What’s the vulnerability?
Exploitation of this vulnerability is restricted to administrators with authenticated access to the AirWatch Admin Console. An administrator of one Organization Group may view details of a device in another Organization Group. Enrolled users who are not administrators and unauthenticated users will not encounter this issue.
The vulnerability consists of two distinct issues which, together, could allow a tenant to accidentally come into contact with another tenant’s device details. The first issue occurs as the result of a UI issue present under certain conditions, which may lead to the display of an incorrect device’s details. The second issue, which represents the vulnerability disclosed in CVE-2017-4942, occurs when the device details are incorrectly displayed to the unauthorized administrator, which results from a missing access control check performed on the request. The following default administrator roles possess the needed permissions to exploit this issue:
- System admin
- AirWatch admin
- Console admin
- Device admin
- NSX admin
- App Catalog Only admin
What can our customers do?
Shared SaaS: If you are in a shared SaaS environment, no action is required as all shared SaaS environments have been patched for this vulnerability. The issue is resolved in AirWatch Shared SaaS 188.8.131.52 and above.
Dedicated SaaS and On-Premise: Patches have been made available for all AirWatch Console versions 9.0.1 and up. On-Premise customers can get the patch for their respective versions below:
Note: This issue has been resolved as part of AirWatch 9.2.2. This patch is not required if you do not run your environment in multi-tenant mode or allow admin access to all Organization Groups.
Additionally, customers with Dedicated SaaS AirWatch environments can request the fix be applied for their environment by entering a support request.
A workaround is available for customers who are unable to immediately apply the patch. To mitigate the issue, you may revoke the granular ‘Device Details’ permissions associated with each administrator role. To do so, perform the following steps:
- Navigate to Accounts > Administrators > Roles
- Select the Edit icon
- Navigate to Device Management > Device Details
- Remove the edit permission for Device Wipe and Device Delete
- Click Save
Note: Administrators who have access to edit roles will be able to re-enable access to these actions. To disable this, remove the edit permission for the Add/Edit resource from the role edit dialog at Accounts > Administrators > Roles.
If an administrator whose role has been modified needs to perform a Device Delete action, this can be done through the Device List View page under Devices > List View and searching/selecting the appropriate device.