############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: VMware AirWatch [1] # Vendor: VMware, Inc. # CSNC ID: CSNC-2018-025 # CVE ID: CVE-2018-6975, CVE-2018-6976 # Subject: Insufficient Data Protection # Risk: Medium # Effect: Locally exploitable # Author: Stephan Sekula # Date: 14.05.2018 # ############################################################# Introduction: ------------- AirWatch® Mobile Device Management enables businesses to address the challenges associated with mobility by providing a simplified, efficient way to view and manage all devices from the central admin console. Our solution enables you to enroll devices in your enterprise environment quickly, configure and update device settings over-the-air, and secure mobile devices. With AirWatch, you can manage a diverse fleet of Android™, Apple® iOS, BlackBerry®, Mac® OS, Symbian® and Windows® devices from a single admin console. [1] Compass Security discovered several security flaws in AirWatch iOS apps (Agent, Browser, Content Locker), which allow attackers to access private data on a stolen device more easily. Affected: --------- Vulnerable: * AirWatch Agent 5.7.0 * VMware Browser 6.12 * VMware Content Locker 4.13.2 Not vulnerable: * AirWatch Agent 5.8.1 * VMware Content Locker 4.14 Technical Description --------------------- The protection class of files and keychain entries is insufficient. Files: [CUT] filedp[1444:178159] file name is:/var/mobile/Containers/Data/Application/ [CUT]/Documents/com.air-watch.content.locker [CUT].log - protection class: NSFileProtectionCompleteUntilFirstUserAuthentication Keychain: "[CUT]" : { "Protection" : "kSecAttrAccessibleAfterFirstUnlock", "Account" : "com.air-watch.content.locker", "EntitlementGroup" : "[CUT].*", "Creation Time" : "[CUT]", "Service" : "com.app.key.service.session.v1", "Modified Time" : "[CUT]", "Data" : "QVc[CUT]==" } Moreover, e.g., file names in Content Locker are stored unencrypted in the FileLocker.sqlite database: sqlite> SELECT * FROM ZCONTENTENTITY; [CUT]|text/plain|csnc.txt|C [CUT]|csnc.docx|C Workaround / Fix: ----------------- This issue can be fixed by setting the file protection class to NSFileProtectionComplete, the keychain protection class to kSecAttrAccessibleWhenUnlocked, and by implementing an additional layer of encryption for all data stored on the device. Timeline: --------- 2018-09-06: Coordinated public disclosure date 2018-09-05: Publish VMware Security Advisory 2018-09-05: Release of VMware Content Locker for iOS 4.14 2018-08-31: Release of AirWatch Agent for iOS 5.8.1 2018-05-16: Initial vendor response 2018-05-14: Initial vendor notification 2018-05-11: Discovery by Stephan Sekula References: ----------- [1] https://www.air-watch.com/downloads/brochures/AirWatch_brochure_mobile_device_management.pdf [2] https://www.air-watch.com/