VMware's enterprise mobility management tool can p0wn itself

AirWatch's Android app and Agent need an update, stat

Reg comments Got Tips?

VMware's AirWatch enterprise mobility management service has two flaws that means the software needs ran update ASAP.

In an emailed security advisory, VMware warns that “Airwatch Agent for Android contains a vulnerability that may allow a device to bypass root detection during enrollment.”

“Successful exploitation of this issue may result in an enrolled device having unrestricted access over local Airwatch security controls and data.”

The second flaw means “Airwatch Inbox for Android contains a vulnerability that may allow a rooted device to decrypt the local data used by the application.”

The potential outcome if this one is “unauthorized disclosure of confidential data.”

Happily, both can be fixed with a quick trip to Google Play, where an updated agent and Inbox app await your downloading pleasure.

Two as-yet-unexplained flaws, CVE-2017-4895 and CVE-2017-4896, lie at the root of these problems. VMware's thanked Finn Steglich from SySS GmbH for noticing and reporting the bugs.

AirWatch was described as growing “robustly” in VMware's Q4 earnings call last week. ®


Biting the hand that feeds IT © 1998–2020