Information disclosure in VMware Workspace ONE SDK and dependent mobile applications

1) Information disclosure

EUVDB-ID: #VU24188

Risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-3940

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the affected software does not properly handle certificate verification failures if SSL Pinning has been enabled in the Workspace ONE UEM Console. A remote attacker with man-in-the-middle (MITM) network positioning between an affected mobile application and Workspace ONE UEM Device Services can capture sensitive data in transit if SSL Pinning is enabled.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Workspace ONE SDK: 19.8 - 19.10

Workspace ONE Boxer: 5.11 - 5.13

Workspace ONE SDK (Objective-C): 5.9.9.7

Workspace ONE Content for Android: 3.20 - 3.20.1

Workspace ONE Content for iOS: 4.19.3

Workspace ONE SDK Plugin for Apache Cordova: 1.5

Workspace ONE Intelligent Hub: 19.09 - 19.11

Workspace ONE Notebook: 1.2

Workspace ONE People: before 1.3.2

Workspace ONE PIV-D: 1.4.1

Workspace ONE Web: 7.8 - 7.10

Workspace ONE SDK Plugin for Xamarin: 1.4

External links

http://www.vmware.com/security/advisories/VMSA-2020-0001.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.