VMware Workspace ONE UEM currently offers a real-time File Manager for Android and Windows Mobile/CE devices, and Task/Registry Managers for Windows Mobile/CE devices. These capabilities are independent of other File & Registry Management capabilities within the AirWatch platform such as Files/Actions through Product Provisioning and the newer File Manager inside Advanced Remote Management. These legacy File, Task & Registry Management features are built upon legacy technologies and have recently been discovered to be impacted by an urgent security vulnerability.
Due to an authorization flaw in the real-time File Manager capability for Android and Windows Mobile devices and Registry Manager for Windows Mobile devices, it is possible for a remote attacker with knowledge of specific enrolled devices within an AirWatch instance to add or remove files from a device, remotely execute commands on the device, or modify or set Registry Key values for Windows Mobile devices that are configured to use AirWatch Cloud Messaging (AWCM). This vulnerability is identified by CVE-2018-6968 and is documented in VMSA-2018-0015.
The attacker does not need access to the Workspace ONE UEM Console. Access to read and store files on Android devices is limited to files within the Agent sandbox and other publicly accessible directories such as those on the SD card. Access to files on Windows Mobile/CE devices involves the entire device directory. As noted, it is additionally possible to modify the values of registry keys or kill running tasks on Windows Mobile/CE devices.
This vulnerability is resolved in the latest version of the Agent for both Android and Windows Mobile/CE devices.
- Customers with Android devices, navigate to Settings > Devices & Users > Android > Agent Settings - "Use AWCM Instead of C2DM/GCM As Push Notification Service"
- If the setting is disabled, you are not affected as you are using Google Cloud Messaging (GCM).
- If the setting is enabled, you should upgrade to Agent 8.2 for Android as you are using AirWatch Cloud Messaging (AWCM).
- Customers with Windows Mobile/CE devices should upgrade to Agent 6.5.2 for Windows Mobile.
Through mitigation of this security vulnerability, the File, Task & Registry Management capabilities built into AWCM will be disabled in current SaaS environments over the coming weeks. Additionally, this functionality will be deprecated in future releases of the Workspace ONE UEM Console.
- To continue using File & Task Management functionality: It is recommended to utilize File Manager within Advanced Remote Management.
- To continue using Registry Management functionality: It is recommended to provision and install registry keys (.reg files) through product provisioning.
Customers with Android devices using AWCM should upgrade to Agent 8.2 for Android.
Customers with Windows Mobile/CE devices should upgrade their devices to Agent 6.5.2 for Windows Mobile. This can be downloaded here.
Support Contact Information
The VMware Workspace ONE Team
Other Languages: 日本語