Details of AirWatch user-supplied input security hole revealed

While VMware has fixed a security hole on its AirWatch cloud, on-premises users are recommended to update to the latest version of AirWatch.

AirWatch has fallen foul of one of the oldest tricks in the programming book: Trusting user-supplied input.

Consequently, it was possible for a malicious user to access information on other customers using AirWatch cloud, and download applications belonging to other customers.

New Zealand security company (SA) alerted VMware of the issue on October 29, with a patch issued on December 10, SA said in an advisory (PDF) that described the vulnerability.

"The AirWatch cloud console was found to use integers to reference various objects," SA said. "Direct access to these objects is available based on the user-supplied input."

By manipulating GET variables, SA researcher Denis Andzakovic was able to enumerate over information belonging to other customers, including smart groups, reputation scans, and private applications.

Andzakovic also found it was possible to trigger an install of another customer's private application on end devices once an application ID was found.

Although AirWatch cloud was patched last month, on-premises users of AirWatch that have not upgraded beyond version remain vulnerable to the attack.

AirWatch was purchased by VMware this time last year for $1.54 billion.