VMware released a security update to the VMware Workspace ONE Unified Endpoint Management Console (also known as AirWatch Console) which resolves a SAML authentication bypass vulnerability of critical severity that could allow attackers to gain control of vulnerable systems.
The AirWatch Console is designed to help its users to view and manage all aspects of Mobile Device Management (MDM) deployment in an enterprise.
Via AirWatch Console's web-based interface, users can rapidly and effortlessly add new users and devices to the company's fleet, as well as configure system settings in detail and manage profiles.
The AirWatch Console can be used to manage endpoints over all major operating systems, from Android, iOS, and Windows 10, to macOS, Chrome OS, QNX, Tizen, and many more via a single and easy to use dashboard.
According to VMWare's advisory, the VMware Workspace ONE Unified Endpoint Management Console (AirWatch Console) contained a SAML authentication bypass vulnerability which could be leveraged during the device enrollment process.
VMware already fixed the SAML authentication bypass issue and released patches for all vulnerable versions of A/W Console
VMware says in their security report that the VMSA-2018-0024 vulnerability present in unpatched systems can enable bad actors to impersonate authorized SAML sessions when the certificate-based authentication option is toggled on and take control of the affected system.
Although it needs the certificate-based authentication to be enabled, the vulnerability can still be exploited by attackers when the option is turned off with a different result: instead of gaining control of the vulnerable system, the outcome is restricted to an information disclosure incident (Important Severity).
The vulnerable Airwatch Console versions are as follows: 9.7.x prior to 22.214.171.124, 9.6.x prior to 126.96.36.199, 9.5.x prior to 188.8.131.52, 9.4.x prior to 184.108.40.206, 9.3.x prior to 220.127.116.11, 9.2.x prior to 18.104.22.168, and 9.1.x prior to 22.214.171.124.
Patches for this vulnerability are available on the public disclosure page, but if you cannot patch the Airwatch Console on your systems, you can still toggle off SAML authentication for enrollment from System > Enterprise Integration > Directory Services as a mitigation step.
This security issue got assigned the CVE-2018-6979 identifier by the Common Vulnerabilities and Exposures project.