############################################################# # # COMPASS SECURITY ADVISORY https://www.compass-security.com/research/advisories/ ############################################################# # # CSNC ID: CSNC-2016-008 # Product: AirWatch [1] # Vendor: VMware # Subject: Cross-Site Scripting - XSS # Risk: High # Effect: Remotely exploitable # Author: Stephan Sekula (stephan.sekula@compass-security.com) # Date: March 22nd 2017 # ############################################################# Introduction: ------------- AirWatch is built to manage the entire lifecycle of any endpoint, across all major operating systems in a single management console. You have various use cases spread across your business. The advantage of managing mobility with AirWatch is the ability to uniquely support these use cases within a single solution, including full device management, app-level management for BYOD or line of business use cases such as kiosk or shared devices. [1] Compass Security discovered a web application security flaw in the AirWatch web application which allows an attacker to manipulate the resulting website. This allows, for instance, attacking the user's browser or redirecting the user to a Phishing website. In order to do so, the attacker needs to be able to upload and share a file. Affected Versions: ------------------ The following AirWatch version is vulnerable: - 9.0 - 9.0.1 - 9.0.2 A fix is available for AirWatch version 9.0.3. Versions 9.0.3+ are not vulnerable. Patches: -------- VMware released patches for each affected version as part of AirWatch Security Advisory FSEC-182621. Technical Description: ---------------------- VMware AirWatch provides a file upload functionality, allowing authenticated users to upload files to the system. If a shared, password protected file is renamed so that its filename includes JavaScript code, this code is executed once a victim visits the share URL. Exploiting the vulnerability will lead to so-called Cross-Site Scripting (XSS), allowing the execution of JavaScript in the context of the victim. Example filename: test';alert(0);'.txt Filename inclusion in resulting website: Milestones: ----------- 2016-11-16: Vulnerability discovered 2016-11-21: Vendor notified 2017-03-21: Vendor provided patched version 2017-03-22: Public disclosure References: ----------- [1] http://www.vmware.com/products/enterprise-mobility-management.html [2] http://www.vmware.com/security/advisories.html