-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2016-028 Product: AirWatch Inbox App for Android Vendor: VMWare Affected Version(s): any before 2.12 Tested Version(s): 2.5.0.11 Vulnerability Type: Insecure Data Storage Risk Level: Medium Solution Status: Open Vendor Notification: 2016-04-04 Solution Date: 2017-01-28 Public Disclosure: 2017-01-30 CVE Reference: CVE-2017-4896 Author of Advisory: Finn Steglich, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: VMWare AirWatch Inbox App for Android is a container app to enable secure email. The vendor VMWare AirWatch describes the product as follows (see [1]): "VMware AirWatch® Mobile Email Management™ delivers comprehensive security for corporate email infrastructures. Email security requirements vary for organizations, depending on supported device ownership models and industry regulations. AirWatch offers flexible options for your email management strategy, giving you choice over the deployment strategy that best fits your business and security requirements. Integration with existing email infrastructures ensures you are maximizing your technology investments. Access to corporate email can be configured through the native device client or VMware AirWatch® Inbox™, a secure email container." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: An attacker who can gain file system access to the locally stored app data (path /data/data/com.airwatch.email/) on the device (either by rooting and circumventing the rooting detection or other means) is able to decrypt the container data (e-mail, attachments, password, etc.) without further credentials. In particular, the AirWatch passphrase is not needed to decrypt the data. SySS GmbH found out that the following information is needed to decrypt the master_encryption_key (which is stored in a shared preference file): * value deviceUID from the shared preferences file * value Vector from the shared preferences file * a hard-coded static string that is present in the source code of all AirWatch apps * a value which is only dependent on the deviceUID value and can be calculated at run-time in a native library shipped with all AirWatch apps With the master_encryption_key, both additional configuration values (value previousFileConfiguration from the shared preferences file) and the database password (also stored in the shared preferences file) can be decrypted. With the database password, e-mail headers and messages can be decrypted from the database files. If password authentication was used for the e-mail server, the password could also be decrypted. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof-of-Concept (PoC): With this knowledge, SySS GmbH developed a proof-of-concept software tool which -- given the information from the shared preferences file -- could decrypt the master_encryption_key, the database password and the previous configuration: I/System.out(12021): SYSS: Decrypted Database Key: CCchhXYOLyhpgmzDvoSIv8yDMLVfV5CR I/System.out(12021): SYSS: Decrypted Previous File Configuration: test@steglich.syss.de:-:test@steglich.syss.de:-::-::-: test@steglich.syss.de:-:TestPassword123!:-:0:-::-:0:-:null:-:null: -:null:-:null:-::-::-:5:-:6:-:1:-:0:-:1:-:1:-:-2:<...> With the tool sqlcipher, the databases could be decrypted using the decrypted database key. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update to Airwatch Console version 9.0 FP1 or later and Airwatch Inbox version 2.12 or later and enable Pin-Based Encryption (PBE). See [2] for the VMWare Security Advisory on the issue and more information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-03-17: Vulnerability discovered 2016-04-04: Vulnerability reported to vendor 2017-01-28: Updated Airwatch Inbox app published 2017-01-30: Public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] VMWare AirWatch website http://www.air-watch.com/solutions/mobile-email-management/ [2] VMWare Security Advisory on the issue http://www.vmware.com/security/advisories/VMSA-2017-0001.html [3] SySS GmbH, SYSS-2016-028 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-028.txt [4] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: Security vulnerability found by Finn Steglich of SySS GmbH. E-Mail: finn (dot) steglich (at) syss (dot) de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Finn_Steglich.asc Key ID: 0x978723E3 Key Fingerprint: 62E7 D39B 525D ADBC 3C0E 576C 80A1 3D93 9787 23E3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEYufTm1Jdrbw8DldsgKE9k5eHI+MFAliQhFoACgkQgKE9k5eH I+P8RA//YayuE8JU7eUf/06sNXdAQbUlhwupRDuT9FZ+FBN5khpCMmBbuKjqXwD9 Z0cFWR2+3FhNK5t6BPt1dwOzrkPEFdbU8xoDnDPZkcNQvk9oaIEERajHY1TEoeJY 0d8fwJQOzedFxzjyynouLAyWHOFbmZFyhEMfjnBCbLJnxJyTZhXM+wnm7WmxSTnO oWWkP/BwHrdHHZrrpuqpyoIS43R3CB77xIEcqibCGiCcvzlrVO1SxnBb6Q3LKR1z Z6LrFl+lDT4xwNzxd5cC+eaOq9wKf7Ter9+MfMnux4LVDNOd8WpSoVJtzRlzP0Dt nDatxxZMpR38ojut/U5wTO6CE3/ubGNeGGbc4+2gQDU30AVOOZCQr3ZVsz1rv40B 8q1/Re9d7AH2N5b6mhaQSZWIfYpq/gYQ/G65VCGWEgORfA9AVA307zt8by0iYEu4 GleK/6ZmMj01m93MWB/hJjWlOOAtKLgvjrUXpfRghxSc2O3TI9AscN4Ugn1Bd2rZ DZ+rG9+/e1pGR1ZtuRFGkrRheWqIerSlIYHdJ4QPREp3mqI9LSLA04YTl0LFylDO yxx1CsyFCmmINWztHCpF73V28XDerZgwvRjydIXybSb5M8RQF0j8hQYAw557EUku jfkiNvocq6tRKGEZRYpA7POqmLXZ4q1tNXIwk93ejl/j8+V7cHA= =+t4Z -----END PGP SIGNATURE-----