Information Exposure Through Legacy App Catalog URL

Symptoms

When deploying the Legacy App Catalog profile, there is an issue which may result in displaying hardware identifiers. While this is not a security vulnerability - no direct access to unauthorized data is permitted by this issue - such information may be considered sensitive and as such, customers might wish to take actions to utilize the latest secure version of the catalog, which is unaffected by this issue. 

 

How to identify if you are affected

If you are a SaaS or On-Premise customer explicitly using the App Catalog URL in a profile (Web Clips profile for iOS, Bookmarks profile for Android, etc.) deployed with the following URL format, device hardware IDs might be exposed:

https://<servername>/AppCatalog?UID={DeviceUdid}

 

Additionally, if you are On-Premise, check if the following query returns any results (ex: Location GroupID, CustomerName, DeviceCount, etc.):

--Time Param
DECLARE @StartTime DATETIME
--Get the date the environment was upgraded to 7.3 
SELECT TOP 1 @StartTime = StartTime 
FROM UpgradeHistory 
WHERE MajorVersion = 7 
AND MinorVersion = 3 
ORDER BY StartTime
--Select Customers and Devices For All environments
Select LG.LocationGroupID,
LG.Name as CustomerName,
COUNT(D.DeviceID) as DeviceCount
FROM deviceProfile.DeviceProfileDevicePool DPDP (NOLOCK)
INNER JOIN deviceProfile.DeviceProfile DP (NOLOCK)
ON DPDP.DeviceProfileID = DP.DeviceProfileID
INNER JOIN dbo.Device D (NOLOCK)
ON DPDP.DeviceID = D.DeviceID
INNER JOIN dbo.Location L 
ON D.LocationID = L.LocationID
INNER JOIN dbo.LocationGroupFlat LGF (NOLOCK)
ON L.PrimaryLocationGroupID = LGF.ChildLocationGroupID
INNER JOIN dbo.LocationGroup LG (NOLOCK)
ON LGF.ParentLocationGroupID = LG.LocationGroupID
WHERE LG.LocationGroupTypeID = 2
AND DP.ModifiedOn < @StartTime
AND DP.Name = 'iOS App Catalog Settings'
AND DPDP.InstalledStatusID = 1
GROUP BY LG.Name,LG.LocationGroupID

 

Fix Version

If you have published a profile affected by this issue, add a new version of the profile with the following URL format:

https://<servername>/Catalog/ViewCatalog/{SecureDeviceUdid}/{DevicePlatform}

Once you have finalized the URL changes, publish the new version. This will deploy the latest secure version of the catalog to the devices.

If you are On-Premise and have discovered you are affected by running the query above, you will need to navigate to Settings > Apps > Workspace ONE > App Catalog > General and re-save the Settings Page. This will deploy the latest secure version of the catalog to the devices. 

Note: This step is not needed for On-Premise customers if you are not affected.

 

Support Contact Information

To open a Support Request, please call your local AirWatch support line or submit a Support Request via myAirWatch.

 

Best Regards,

The AirWatch Team

Have more questions? Submit a request

0 Comments

Article is closed for comments.