VMware's enterprise mobility management tool can p0wn itself
AirWatch's Android app and Agent need an update, stat
VMware's AirWatch enterprise mobility management service has two flaws that means the software needs ran update ASAP.
In an emailed security advisory, VMware warns that “Airwatch Agent for Android contains a vulnerability that may allow a device to bypass root detection during enrollment.”
“Successful exploitation of this issue may result in an enrolled device having unrestricted access over local Airwatch security controls and data.”
The second flaw means “Airwatch Inbox for Android contains a vulnerability that may allow a rooted device to decrypt the local data used by the application.”
The potential outcome if this one is “unauthorized disclosure of confidential data.”
Two as-yet-unexplained flaws, CVE-2017-4895 and CVE-2017-4896, lie at the root of these problems. VMware's thanked Finn Steglich from SySS GmbH for noticing and reporting the bugs.
AirWatch was described as growing “robustly” in VMware's Q4 earnings call last week. ®